From jhansonxi at gmail.com Tue Jan 1 23:39:58 2013
From: jhansonxi at gmail.com (Jeff Hanson)
Date: Tue, 1 Jan 2013 17:39:58 -0500
Subject: Obtain a signature ID with only a sig file?
Message-ID:
Is there a way to obtain the signature ID from a detached sig file without
the signed file? I haven't been able to get anything out of gpg without
both files present.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jhansonxi at gmail.com Tue Jan 1 23:38:25 2013
From: jhansonxi at gmail.com (Jeff Hanson)
Date: Tue, 1 Jan 2013 17:38:25 -0500
Subject: No subject
Message-ID:
Is there a way to obtain the signature ID from a detached sig file without
the signed file? I haven't been able to get anything out of gpg without
both files present.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From dkg at fifthhorseman.net Wed Jan 2 03:02:33 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 01 Jan 2013 21:02:33 -0500
Subject: Obtain a signature ID with only a sig file?
In-Reply-To:
References:
Message-ID: <50E39539.1010905@fifthhorseman.net>
On 01/01/2013 05:39 PM, Jeff Hanson wrote:
> Is there a way to obtain the signature ID from a detached sig file without
> the signed file? I haven't been able to get anything out of gpg without
> both files present.
If you're talking about the "SIG_ID", then i don't think that's
possible. According to the DETAILS file
(/usr/share/doc/gnupg/DETAILS.gz on debian-ish systems):
>> SIG_ID
>> This is emitted only for signatures of class 0 or 1 which
>> have been verified okay. The string is a signature id
>> and may be used in applications to detect replay attacks
>> of signed messages. Note that only DLP algorithms give
>> unique ids - others may yield duplicated ones when they
>> have been created in the same second.
>>
>> Note, that SIG-TIMESTAMP may either be a number with seconds
>> since epoch or an ISO 8601 string which can be detected by the
>> presence of the letter 'T' inside.
And you can't have a signature that's "verified okay" if you don't have
the data that was signed, since the OpenPGP signature block doesn't
contain the digested data itself (v3 data signatures contain the two
leftmost octets of the digest, but that's certainly not enough to
calculate the SIG_ID).
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From fabio.coatti at gmail.com Wed Jan 2 11:05:47 2013
From: fabio.coatti at gmail.com (Fabio Coatti)
Date: Wed, 2 Jan 2013 11:05:47 +0100
Subject: smartcard key change
Message-ID:
Hi All,
I'm playing a bit with a fsfe fellowship card, and I've noticed an
issue but I can't say if in gpg or in me :)
basically, the card works as expected (signing, encryption, etc..)
with a subkey only setup; I've then changed the sign subkey with a
new one, but I noticed that I mistakenly loaded a 4096bit subkey (out
of spec, IIRC, it works but it is failry slow :) ). I then tried to
place the previous sign key... and gnupg fails with this error:
Please select where to store the key:
(1) Signature key
(3) Authentication key
Cosa scegli? 1
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
gpg: secret key already stored on a card
but the card as the 4096 key on it; so it seems that gnupg flags every
key that has loaded on card as "on card", but it is impossible to tell
gnupg that a key has been removed from card.
Interesting enough, gpg --card-status (or gpg --edit key /toggle/list)
shows that 4 keys are on card :)
i.e. the secret key description reports "card-no: 0000 00000XXX" below
4 keys and not only three.
My guess is that gpg flags every subkey sent to card with the card
number and checks the number when requested to install it again... but
is there any way to tell gpg to clear that card number field?
--
Fabio
From peter at digitalbrains.com Wed Jan 2 12:31:10 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 02 Jan 2013 12:31:10 +0100
Subject: smartcard key change
In-Reply-To:
References:
Message-ID: <50E41A7E.7090700@digitalbrains.com>
On 02/01/13 11:05, Fabio Coatti wrote:
> Replace existing key? (y/N) y
> gpg: secret key already stored on a card
>
> [...]
> My guess is that gpg flags every subkey sent to card with the card
> number and checks the number when requested to install it again... but
> is there any way to tell gpg to clear that card number field?
It doesn't just flag the secret key as stored on card, the secret key in your
keyring is /replaced/ by a stub that just says the key is stored on the card. So
your secret keyring no longer contains the secret key.
You will need to recover the secret material from a backup.
At least, I am fairly sure this is the case. I have not tried it out since I
don't want to screw up the keys on my smartcards :).
You say we are talking about a signing key here, so you could also just generate
a new signing key.
Good luck,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From fabio.coatti at gmail.com Wed Jan 2 14:09:39 2013
From: fabio.coatti at gmail.com (Fabio Coatti)
Date: Wed, 02 Jan 2013 14:09:39 +0100
Subject: smartcard key change
In-Reply-To: <50E41A7E.7090700@digitalbrains.com>
References:
<50E41A7E.7090700@digitalbrains.com>
Message-ID: <1529983.rXxy3Ca5LQ@calvin>
In data mercoled? 2 gennaio 2013 12:31:10, Peter Lebbing ha scritto:
> On 02/01/13 11:05, Fabio Coatti wrote:
> > Replace existing key? (y/N) y
> > gpg: secret key already stored on a card
> >
> > [...]
> > My guess is that gpg flags every subkey sent to card with the card
> > number and checks the number when requested to install it again... but
> > is there any way to tell gpg to clear that card number field?
>
> It doesn't just flag the secret key as stored on card, the secret key in
> your keyring is /replaced/ by a stub that just says the key is stored on
> the card. So your secret keyring no longer contains the secret key.
>
> You will need to recover the secret material from a backup.
>
> At least, I am fairly sure this is the case. I have not tried it out since I
> don't want to screw up the keys on my smartcards :).
>
> You say we are talking about a signing key here, so you could also just
> generate a new signing key.
>
No big deal, I have the needed backups; now I figured out what's going on,
thanks. Maybe the message "gpg: secret key already stored on a card" is a bit
misleading here :)
Many thanks!
--
Fabio
From dkg at fifthhorseman.net Wed Jan 2 19:50:10 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 02 Jan 2013 13:50:10 -0500
Subject: [Enigmail] Problem with automated decryption of encrypted drafts?
(Key unlocking popup nightmares)
In-Reply-To: <50E4042D.2090907@enigmail.net>
References:
<50E4042D.2090907@enigmail.net>
Message-ID: <50E48162.50502@fifthhorseman.net>
On 01/02/2013 04:55 AM, Patrick Brunschwig wrote:
> On 01.01.13 19:57, Sini Ruohomaa wrote:
>> 1) The request popup to unlock my key blocks my _entire X session_,
>> also when TB is minimized, which I think seems needlessly rude. It
>> also doesn't cache my 'cancels' (so I can be asked for the password
>> for 5+ times in a row before I can go back to doing whatever I was
>> doing) and doesn't indicate what it needs the key for. (To
>> reproduce, cause the key popup to appear and just try to ignore
>> it.)
>
> That's because pinentry blocks your X session. pinentry is part of
> GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR
> there is an option in gpg-agent.conf to disable blocking the X session.
Bug reports or suggestions about pinentry behavior should probably go to
a gnupg list (i've cc'ed gnupg-users here, please follow up appropriately)
Do any gnupg contributors have suggestions about the "fails to cache my
'cancels'" concern Sini raised above? I'm not sure how the pieces could
fit together to improve the user experience without breaking
expected/desired behavior in other contexts.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From wk at gnupg.org Wed Jan 2 20:18:27 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 02 Jan 2013 20:18:27 +0100
Subject: [Enigmail] Problem with automated decryption of encrypted drafts?
(Key unlocking popup nightmares)
In-Reply-To: <50E48162.50502@fifthhorseman.net> (Daniel Kahn Gillmor's message
of "Wed, 02 Jan 2013 13:50:10 -0500")
References:
<50E4042D.2090907@enigmail.net> <50E48162.50502@fifthhorseman.net>
Message-ID: <877gnvfl6k.fsf@vigenere.g10code.de>
On Wed, 2 Jan 2013 19:50, dkg at fifthhorseman.net said:
>> GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR
>> there is an option in gpg-agent.conf to disable blocking the X session.
It is called --no-grab.
> Do any gnupg contributors have suggestions about the "fails to cache my
> 'cancels'" concern Sini raised above? I'm not sure how the pieces could
I am not sure what he means. However, recent GnuPG's and pinentries
have a cancel-all feature: Either the pinentry features an appropriate
button or you use the close-window button of the pinentry which also
sends the cancel-all message.
This is useful if gpg starts looking for --throw-keyid keys and you know
that you don't have the key.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From vedaal at nym.hush.com Wed Jan 2 20:32:30 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Wed, 02 Jan 2013 14:32:30 -0500
Subject: Obtain a signature ID with only a sig file?
In-Reply-To:
References: <20130102162326.318376F443@smtp.hushmail.com>
Message-ID: <20130102193231.23C2E6F443@smtp.hushmail.com>
Jeff Hanson jhansonxi at gmail.com wrote on
Tue Jan 1 23:39:58 CET 2013 :
>Is there a way to obtain the signature ID from a detached sig file without
the signed file?
-----
It can be done by using gpg --list-packets 'detached sig filename'
Here is what happens on my system by doing the above for a detached signature file,
when only the signature file is present, and the file signed is not:
$ gpg --list-packets /cygdrive/c/users/vedaal/'My Documents'/km1.pdf.gpg
:compressed packet: algo=1
:onepass_sig packet: keyid A306C37B495CA15B
version 3, sigclass 0x00, digest 8, pubkey 1, last=1
:literal data packet:
mode b (62), created 1357154353, name="KM1.pdf",
raw data: 24689 bytes
:signature packet: algo 1, keyid A306C37B495CA15B
version 4, created 1357154353, md5len 0, sigclass 0x00
digest algo 8, begin of digest 88 48
hashed subpkt 2 len 4 (sig created 2013-01-02)
subpkt 16 len 8 (issuer key ID A306C37B495CA15B)
data: [2048 bits]
vedaal
From dkg at fifthhorseman.net Wed Jan 2 20:36:22 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 02 Jan 2013 14:36:22 -0500
Subject: Obtain a signature ID with only a sig file?
In-Reply-To: <20130102193231.23C2E6F443@smtp.hushmail.com>
References: <20130102162326.318376F443@smtp.hushmail.com>
<20130102193231.23C2E6F443@smtp.hushmail.com>
Message-ID: <50E48C36.2030809@fifthhorseman.net>
On 01/02/2013 02:32 PM, vedaal at nym.hush.com wrote:
> Jeff Hanson jhansonxi at gmail.com wrote on
> Tue Jan 1 23:39:58 CET 2013 :
>
>> Is there a way to obtain the signature ID from a detached sig file without
> the signed file?
>
> -----
>
> It can be done by using gpg --list-packets 'detached sig filename'
this does not produce the sig id. it produces the key ID of the issuer
of the signature, which is a different thing.
regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From jhansonxi at gmail.com Wed Jan 2 22:33:44 2013
From: jhansonxi at gmail.com (Jeff Hanson)
Date: Wed, 2 Jan 2013 16:33:44 -0500
Subject: Fwd: (No Subject)
In-Reply-To:
References:
Message-ID:
Re: Obtain a signature ID with only a sig file?
Thanks. Based on that this also worked:
wget http://.gpg --output-document=- | gpg --verify -
/dev/null
I'm writing a kickstart script for Ubuntu and needed a way to test a
repository connection before using apt. The problem with apt is that it
doesn't have a way to test for connectivity with a specific repository. I
wanted to test for connectivity of a newly added repo by downloading the
smallest verifiable file available (because of ISP data transfer caps) and
the Release.gpg is best target I've found. Even better is being able to
get a verifiable key ID without having to make a temporary file. I'm not
worried about verifying the Release list since apt will download that and
it's own copy of the sig for verification. I just wanted to catch 404
error pages and the like without having apt download the package lists of
every repo (many MB each).
---------- Forwarded message ----------
From: Anonymous Remailer (austria)
Date: Wed, Jan 2, 2013 at 3:17 PM
Subject: (No Subject)
To: jhansonxi at gmail.com, gnupg-users at gnupg.org
Jeff Hanson wrote:
> Is there a way to obtain the signature ID from
> a detached sig file without the signed file?
> I haven't been able to get anything out
> of gpg without both files present.
>
echo|gpg --verify detached.sig -
follow:
$ gpg -b -u testkey foobar
$ gpg --verify foobar.sig
gpg: Signature made 01/02/13 00:00:00 using DSA key ID DEADBEEF
gpg: Good signature from "testkey (testkey)"
$ del foobar
$ echo|gpg --verify foobar.sig -
gpg: Signature made 01/02/13 00:00:00 using DSA key ID DEADBEEF
gpg: BAD signature from "testkey (testkey)"
$ gpg --delete-secret-and-public-key testkey
sec 1024D/DEADBEEF 2013-01-02 testkey (testkey)
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
pub 1024D/DEADBEEF 2013-01-02 testkey (testkey)
Delete this key from the keyring? (y/N) y
$ echo|gpg --verify foobar.sig -
gpg: Signature made 01/02/13 00:00:00 using DSA key ID DEADBEEF
gpg: Can't check signature: public key not found
$
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From oub at mat.ucm.es Thu Jan 3 21:32:16 2013
From: oub at mat.ucm.es (Uwe Brauer)
Date: Thu, 03 Jan 2013 21:32:16 +0100
Subject: gpgsm: smime, various secret keys,
various email addresses how to configure
Message-ID: <87fw2i80tr.fsf@mat.ucm.es>
Hello
I am not sure that this is the correct list to ask and whether my
question is too elementary, but I could not find a solution using google.
I started to use smime, via xemacs, gnus, epg and gpgsm. [1]
I have 3 accounts, one for work two private ones. I obtained free
certificates from www.comodo.com.
Now the issue is that epg (the lisp interface) chooses the first secret
keys which is listed via
gpgsm --list-secrect-keys
For any email, even if I use a different account.
However I would like to have
user1 at gmail.com key1
user2 at gmail.com key2
user3 at gmail.com key3
The epg author referred to the gpgsm manual or the mailing list, however
I can't find a relevant description
Can somebody help me?
Thanks very much in advance
Uwe Brauer
Footnotes:
[1] I used gpg, but most of the people I correspondence considered it
as to user unfriendly.
From mortenkjarulff at gmail.com Thu Jan 3 22:43:33 2013
From: mortenkjarulff at gmail.com (=?UTF-8?Q?Morten_Kj=C3=A6rulff?=)
Date: Thu, 3 Jan 2013 22:43:33 +0100
Subject: Is a document signed with hellosign legally binding?
Message-ID:
Hi,
This is a off topic question, but I do not know where to go with it.
I just signed up with hellosign.com. It is a service where you upload an
image file with your handwritten signature. Later on you can upload a
document and they will merge your signature and document, and mail it to
the one you specified. (at least that is how I understand it)
They claim (http://www.hellosign.com/info/faq) that electronic signatures
are legally binding, and refer fx to "European Directive (EC/1999/93)" (
http://ec.europa.eu/information_society/policy/esignature/docs/electronic_sig_report.pdf).
As far as I can see, this document is about digital signing using
certificate and so on.
As I see it, the service provided by hellosign.com has nothing to do with
the topics in "European Directive (EC/1999/93)".
Am I right or wrong?
/Morten
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From hka at qbs.com.pl Fri Jan 4 00:33:53 2013
From: hka at qbs.com.pl (Hubert Kario)
Date: Fri, 04 Jan 2013 00:33:53 +0100
Subject: Is a document signed with hellosign legally binding?
In-Reply-To:
References:
Message-ID: <1414183.l2L7tov6G1@bursa22>
Hi Morten,
On Thursday 03 of January 2013 22:43:33 Morten Kj?rulff wrote:
> Hi,
>
> This is a off topic question, but I do not know where to go with it.
>
> I just signed up with hellosign.com. It is a service where you upload an
> image file with your handwritten signature. Later on you can upload a
> document and they will merge your signature and document, and mail it to
> the one you specified. (at least that is how I understand it)
>
> They claim (http://www.hellosign.com/info/faq) that electronic signatures
> are legally binding, and refer fx to "European Directive (EC/1999/93)" (
> http://ec.europa.eu/information_society/policy/esignature/docs/electronic_
> sig_report.pdf). As far as I can see, this document is about digital
> signing using certificate and so on.
>
> As I see it, the service provided by hellosign.com has nothing to do with
> the topics in "European Directive (EC/1999/93)".
>
> Am I right or wrong?
>
> /Morten
As always on the Internet, IANAL. Even if I were, this wouldn't be a legal
advice, not legally binding, yada yada. What's more, I have no knowledge how
exactly their system works so below is just my opinion and bits of knowlege
about how digital signatures work in EU.
Now, back to the issue in question.
In one sentence: this looks very fishy to me.
First: basically only Qualified Electronic Signatures are unquestionably
legally binding.
Second: Qualified Electronic Signature can only be created using a Secure
Signature Creation Device (a.k.a. cryptographic token).
Third: to get a Qualified Certificate you need to personally visit (this may
be more relaxed in some countries) one of certification authorities and
present some kind of state issued ID
Considering that the biggest problem (as far as proving its origin, creation
date, etc.) with electronic data is that it is very easy to copy, the whole
goal of digital signatures was directed to make it impossible to copy a
signature (in a way for it to still be valid) without copying verbatim the
file/data that was signed. They are doing exact opposite. The only thing
agains that is the audit trial. If it doesn't use third party provided time
stamps in one way or another I'd bluntly call it useless.
They perform no detailed verification of the person's identity (I can submit
scan of Steve Jobs signature and his photo, doesn't make me Steve Jobs).
As such, I'd say it's very unlikely for the scheme described to be regarded
as trustworthy (and admissible before court without question), let alone
usable for Qualified Electronic Signing.
The only stuff they can reasonably prove, is that a document was created
before such and such time and uploaded at such and such time to their
service. gmail can do just as much. I'd say if the other person signing a
contract is also using gmail it's just as secure and trustworthy.
But maybe it's just my bias against crypto that doesn't use DSA/RSA/ECC...
Regards,
--
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawer?w 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl
From chd at chud.net Fri Jan 4 00:45:39 2013
From: chd at chud.net (Chris De Young)
Date: Thu, 03 Jan 2013 16:45:39 -0700
Subject: Is a document signed with hellosign legally binding?
In-Reply-To: <1414183.l2L7tov6G1@bursa22>
References:
<1414183.l2L7tov6G1@bursa22>
Message-ID: <50E61823.4090007@chud.net>
>> This is a off topic question, but I do not know where to go with it.
>>
>> I just signed up with hellosign.com. It is a service where you upload an
>> image file with your handwritten signature. Later on you can upload a
>> document and they will merge your signature and document, and mail it to
>> the one you specified. (at least that is how I understand it)
Although this isn't an answer to your question - I'm not sure I
understand the benefit of such a service in the first place; what is the
advantage of this process over printing your document instead of
uploading it, signing it yourself with a pen, and mailing it to the one
you want it to go to yourself?
If the idea is that the document isn't a format that lends itself to
printing, how do they "merge" your signature image with it in any
meaningful way that you couldn't do yourself just as easily?
Just curious...
-Chris
From rjh at sixdemonbag.org Fri Jan 4 02:59:27 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 03 Jan 2013 20:59:27 -0500
Subject: Is a document signed with hellosign legally binding?
In-Reply-To:
References:
Message-ID: <50E6377F.8040107@sixdemonbag.org>
On 1/3/2013 4:43 PM, Morten Kj?rulff wrote:
> They claim (http://www.hellosign.com/info/faq) that electronic
> signatures are legally binding, and refer fx to "European Directive
> (EC/1999/93)"
There is usually a world of difference between what cryppies consider a
"legally binding signature" and what is really a legally binding
signature. The law has many ways for a signature to be deemed binding:
the law has many ways for a binding signature to be repudiated. Whether
a signature is really binding in your specific case is a legal question
for which you'll need to consult with a lawyer licensed to practice in
your area.
From expires2013 at ymail.com Fri Jan 4 03:23:36 2013
From: expires2013 at ymail.com (MFPA)
Date: Fri, 4 Jan 2013 02:23:36 +0000
Subject: Is a document signed with hellosign legally binding?
In-Reply-To:
References:
Message-ID: <217108513.20130104022336@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Thursday 3 January 2013 at 9:43:33 PM, in
,
Morten Kj?rulff wrote:
> It is a service
> where you upload an image file with your handwritten
> signature. Later on you can upload a document and they
> will merge your signature and document, and mail it to
> the one you specified.
I can't quite see the point of this. Surely you could just paste the
image of your signature into the document yourself, save it as a PDF
(for example), and email it to the intended recipient.
I also question whether I would want to give somebody else an image of
my handwritten signature, especially a website that requires you to
enable scripts from about a dozen domains.
> They claim (http://www.hellosign.com/info/faq) that
> electronic signatures are legally binding, and refer fx
> to "European Directive (EC/1999/93)"
> .
A quick skim through that document suggests to me the basic intention
of the directive is for electronic signatures to have the same legal
status as handwritten signatures. I'm not convinced that document is
hugely relevant.
I see no reason why the image of your signature placed into the
document should have any different status than:-
* typing your name and making clear it constituted a signature, or
* one of those rubber-stamp signatures that solicitors used to use
on cheques, or
* an actual handwritten signature.
Of course, I am not legally trained. Anybody taking the advice of
anonymous strangers over the internet does so at their own risk.
>
> As far as I can see, this document is about digital
> signing using certificate and so on.
Yes. Although the document does mention on page 215: "An e-signature in
the form of a computer-generated facsimile would have satisfied the
requirements of the Insolvency Act in terms of signing a proxy voting
form." That sounds very much like adding an image to a document as an
electronic signature.
> As I see it, the service provided by hellosign.com has
> nothing to do with the topics in "European Directive
> (EC/1999/93)".
> Am I right or wrong?
There is certainly a lot in the linked EC document that has nothing to
do with the service offered by hellosign.com.
- --
Best regards
MFPA mailto:expires2013 at ymail.com
Another person's secret is like another person's money:
you are not as careful with it as you are with your own
-----BEGIN PGP SIGNATURE-----
iQCVAwUBUOY9OqipC46tDG5pAQo1qwP+J2bldKWfH2YRE55L+c7NC8YhUIDfLT9p
oZgJW83m6jlySMbSmXVIcbsvoIpXWTL/LGIuG8+3Vd3c44zfQwQx1pwvMd2uxxJO
3CvVeGUNacVB+oJrHJXzfwYFfTb+fXl/UEEn/7rUpKrcFhj+/XCfT+aHlrSMRTD5
ev0NN4TBm3Y=
=yMUf
-----END PGP SIGNATURE-----
From singpolyma at singpolyma.net Fri Jan 4 03:53:22 2013
From: singpolyma at singpolyma.net (Stephen Paul Weber)
Date: Fri, 4 Jan 2013 02:53:22 +0000
Subject: "New" packet headers and gpg
Message-ID: <20130104025322.GA26567@singpolyma.net>
Is there a set of switches to tell gpg or gpg2 to produce "new" packet
length headers for output? Specifically
.
--
Stephen Paul Weber, @singpolyma
See for how I prefer to be contacted
edition right joseph
From dshaw at jabberwocky.com Fri Jan 4 05:42:07 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 3 Jan 2013 23:42:07 -0500
Subject: Paperkey 1.3
Message-ID: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
Paperkey 1.3 is released. This adds ECC key support (both ECDH and
ECDSA) as well as a few more minor tweaks.
Source and Win32 binaries are available at:
http://www.jabberwocky.com/software/paperkey/
Enjoy!
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQEcBAEBAgAGBQJQ5l03AAoJEP6ninqhvE+ka0MH/Ah32BaP018tuX6WIFtauc7M
mm3cl5GF58llhpzpU7zB0zpXNjhUJ9TqT1+ep2tc6RGQePAodLdT3WTwa/ZzVGUS
9anfFdMkkg6b5tn/O8mJt14kh07AGepPzZBM8rlH3WAgQ9BNEKvMgbHRkRh3OH4z
l71JdjVWAabeYATGDBIZPxFFBx2WFhgwWNzilLsO204oMqnozgui3aYdJNVYtVkb
tDzLgJpPNm0V2SMoZyiUdF0TadMBpgOY93/B2reFXmVrYczppM/4V/8lHJMC28Ha
HCoP2yVS1NGRV0EQt2F2ZvM/8XB6JE/G2GS7KSoapOslsxJik8lXmWshNgmA9LY=
=fKJ6
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Fri Jan 4 05:52:05 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 3 Jan 2013 23:52:05 -0500
Subject: "New" packet headers and gpg
In-Reply-To: <20130104025322.GA26567@singpolyma.net>
References: <20130104025322.GA26567@singpolyma.net>
Message-ID: <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com>
On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote:
> Is there a set of switches to tell gpg or gpg2 to produce "new" packet length headers for output? Specifically .
No. GPG automatically uses the old packet headers for those packets that can be described that way (i.e. packets numbered less than 16) and new packet headers for all other packets (16 and up).
David
From branko at majic.rs Fri Jan 4 10:01:00 2013
From: branko at majic.rs (Branko Majic)
Date: Fri, 4 Jan 2013 10:01:00 +0100
Subject: Paperkey 1.3
In-Reply-To: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
Message-ID: <20130104100100.42b8e405@zetkin.int.primekey.se>
On Thu, 3 Jan 2013 23:42:07 -0500
David Shaw wrote:
> Paperkey 1.3 is released. This adds ECC key support (both ECDH and
> ECDSA) as well as a few more minor tweaks.
>
> Source and Win32 binaries are available at:
> http://www.jabberwocky.com/software/paperkey/
Curious piece of software. Certainly not something that comes to mind
right away for making backups.
I wonder if you could back-up even more by using 2D bar code for an
output?
Best regards
--
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.
?????? ?????
?????: branko at majic.rs
????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL:
From mortenkjarulff at gmail.com Fri Jan 4 13:35:09 2013
From: mortenkjarulff at gmail.com (=?UTF-8?Q?Morten_Kj=C3=A6rulff?=)
Date: Fri, 4 Jan 2013 13:35:09 +0100
Subject: Is a document signed with hellosign legally binding?
In-Reply-To: <50E6A5F0.6070705@miradoiro.com>
References:
<50E6A5F0.6070705@miradoiro.com>
Message-ID:
Thank you all!
So, a bare email is also legally binding, but it can be hard to proove who
sent it. Same for hellosign.com, it can be hard to proove who really signed
a document there, and it was that fact that confused me, I made "legally
binding" and "proove who signed" the same thing.
/Morten
On Fri, Jan 4, 2013 at 10:50 AM, David P ? wrote:
> The directive refers to two types of signatures on article 2: electronic
> signatures are those like me writing my name on the foot of this email,
> advanced electronic signatures are the ones that require certificates and
> so on. By art 5.1, advanced electronic signatures are equivalent to
> hand-written ones, by art 5.2, though, unqualified electronic signatures
> should not be denied legal validity on the mere grounds that they are
> electronic. So without advising to particulars, especially given the
> possible issues with transposition of the directive into national law, an
> electronic signature of that sort is binding, though of course it is
> possible to question whether it really was issued by the signatory and so
> on.
>
> --David.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From apadmaraju at prounlimited.com Thu Jan 3 20:37:28 2013
From: apadmaraju at prounlimited.com (Anilkumar Padmaraju)
Date: Thu, 3 Jan 2013 11:37:28 -0800
Subject: gnupg not working with RHEL 4
Message-ID:
Hi,
This is an important issue for me. I would really appreciate, if any one
can help.
Server 1:
I have a server with Red Hat Enterprise Linux AS release 4 (Nahant Update
5) and having gnupg version 1.2.6.
When I am trying to import a key, I am getting below problem and the key is
not getting imported. The key is 2048 bits.
# gpg --import /key.asc
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: key ACF6FA22: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
#
Server 2:
I have an another server with Red Hat Enterprise Linux Server release 5.5
(Tikanga) and with gncpg version 1.4.5. On this I am able to import the
same key successfully.
Unfortunately, I cannot upgrade Linux on Server 1. What I have to do to
solve the problem with gpg import on Server 1?
Do I have to upgrade the gncpg on Server 1 or is there alternate solution?
If I have to upgrade gncpg, to which version of gncpg I have to update? I
cannot use up2date because the Server 1 is not subscribed to RHN. So what
will be the alternate way to upgrade without up2date.
Thank you very much,
Anil.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rjh at sixdemonbag.org Fri Jan 4 14:34:40 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 04 Jan 2013 08:34:40 -0500
Subject: gnupg not working with RHEL 4
In-Reply-To:
References:
Message-ID: <50E6DA70.9040700@sixdemonbag.org>
On 1/3/2013 2:37 PM, Anilkumar Padmaraju wrote:
> This is an important issue for me. I would really appreciate, if any
> one can help.
The fix is easy: upgrade GnuPG.
Version 1.2.6 is old, really old. The certificate you're trying to
import uses an algorithm (DSA2) which is relatively new. GnuPG is
trying to treat this as a DSA certificate and is complaining that it
uses the wrong parameters.
Download and install the GnuPG 1.4.13 source code from:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.13.tar.bz2
... and this problem will go away.
From mwood at IUPUI.Edu Fri Jan 4 14:50:56 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Fri, 4 Jan 2013 08:50:56 -0500
Subject: Is a document signed with hellosign legally binding?
In-Reply-To:
References:
Message-ID: <20130104135056.GB22257@IUPUI.Edu>
I don't know, but I must say that I'm wary of dealing with unknown
people who are collecting signature samples from all over Europe,
offering a service which seems to accomplish very little and making
disputed claims about its legal effect.
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
There's an app for that: your browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
From dshaw at jabberwocky.com Fri Jan 4 14:54:43 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 08:54:43 -0500
Subject: gnupg not working with RHEL 4
In-Reply-To:
References:
Message-ID: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
On Jan 3, 2013, at 2:37 PM, Anilkumar Padmaraju wrote:
> Hi,
>
> This is an important issue for me. I would really appreciate, if any one can help.
>
> Server 1:
> I have a server with Red Hat Enterprise Linux AS release 4 (Nahant Update 5) and having gnupg version 1.2.6.
>
>
> When I am trying to import a key, I am getting below problem and the key is not getting imported. The key is 2048 bits.
>
>
>
> # gpg --import /key.asc
> gpg: DSA requires the use of a 160 bit hash algorithm
This means that you are trying to import a key with a version of GnuPG that is too old to understand it. That key uses a feature (called DSA2) that didn't exist in version 1.2.6 of GnuPG.
> Unfortunately, I cannot upgrade Linux on Server 1. What I have to do to solve the problem with gpg import on Server 1?
While you don't have to upgrade Linux on server 1, you do need to at least upgrade GnuPG.
Go to http://www.gnupg.org/download/ and grab the latest 1.4 version of GnuPG (at the moment, it's 1.4.13). That is the easiest replacement for 1.2.6, and will handle that DSA2 key just fine.
David
From johanw at vulcan.xs4all.nl Fri Jan 4 15:27:55 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri, 04 Jan 2013 15:27:55 +0100
Subject: Paperkey 1.3
In-Reply-To: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
Message-ID: <50E6E6EB.2040801@vulcan.xs4all.nl>
On 04-01-2013 5:42, David Shaw wrote:
> Paperkey 1.3 is released.
You might want to update the website, it reads a bit outdated.
CD/DVD-ROMs are going the way of the floppy disc; flash memory is much
more reliable than either. Future support of USB ports or memory card
readers seems the biggest concern for me.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From singpolyma at singpolyma.net Fri Jan 4 15:39:22 2013
From: singpolyma at singpolyma.net (Stephen Paul Weber)
Date: Fri, 4 Jan 2013 09:39:22 -0500
Subject: "New" packet headers and gpg
In-Reply-To: <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com>
References: <20130104025322.GA26567@singpolyma.net>
<09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com>
Message-ID: <20130104143922.GA1818@singpolyma-svelti>
Somebody claiming to be David Shaw wrote:
>On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote:
>> tell gpg or gpg2 to produce "new" packet length headers for output?
>
>No. GPG automatically uses the old packet headers for those packets that
>can be described that way
Hmm, ok. I was hoping that with all the "advanced mode, you probably don't
care about this" features, there would be one for this.
--
Stephen Paul Weber, @singpolyma
See for how I prefer to be contacted
edition right joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
From fabio.coatti at gmail.com Fri Jan 4 16:11:06 2013
From: fabio.coatti at gmail.com (Fabio Coatti)
Date: Fri, 04 Jan 2013 16:11:06 +0100
Subject: poldi
Message-ID: <2881301.LpLIF6IPSH@calvin>
Hi,
I'm playing a bit with a fsfe card and trying to find a way to use smartcard
for xscreensaver I've stumbled on poldi references, but the sources seems
untouched since long time.
before starting to work on a updated ebuild (I'm on gentoo installation), is
poldi still alive or do we have better way to reach the same goal (basically,
having xscreensaver and other pam enabled things using the card)?
sorry if the question is silly, but I found no helpful references so far...
--
Fabio
From wk at gnupg.org Fri Jan 4 16:13:03 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 04 Jan 2013 16:13:03 +0100
Subject: Paperkey 1.3
In-Reply-To: <50E6E6EB.2040801@vulcan.xs4all.nl> (Johan Wevers's message of
"Fri, 04 Jan 2013 15:27:55 +0100")
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<50E6E6EB.2040801@vulcan.xs4all.nl>
Message-ID: <87hamxc77k.fsf@vigenere.g10code.de>
On Fri, 4 Jan 2013 15:27, johanw at vulcan.xs4all.nl said:
> CD/DVD-ROMs are going the way of the floppy disc; flash memory is much
> more reliable than either. Future support of USB ports or memory card
FWIW: Some time ago I copied a bunch of ~25 years old 5.25 floppies to a
disk. I had only problems with some of the very cheap or the dusted,
wet and oiled ones stored for too many years in my non-heated garage.
Nobody has experience with flash for more than a decade.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From dshaw at jabberwocky.com Fri Jan 4 17:31:16 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 11:31:16 -0500
Subject: "New" packet headers and gpg
In-Reply-To: <20130104143922.GA1818@singpolyma-svelti>
References: <20130104025322.GA26567@singpolyma.net>
<09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com>
<20130104143922.GA1818@singpolyma-svelti>
Message-ID: <24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com>
On Jan 4, 2013, at 9:39 AM, Stephen Paul Weber wrote:
> Somebody claiming to be David Shaw wrote:
>> On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote:
>>> tell gpg or gpg2 to produce "new" packet length headers for output?
>>
>> No. GPG automatically uses the old packet headers for those packets that can be described that way
>
> Hmm, ok. I was hoping that with all the "advanced mode, you probably don't care about this" features, there would be one for this.
You could patch the code (look in build-packet.c) fairly easily if you need this. Out of curiosity, why do you want to use only new packet headers?
David
From singpolyma at singpolyma.net Fri Jan 4 17:34:51 2013
From: singpolyma at singpolyma.net (Stephen Paul Weber)
Date: Fri, 4 Jan 2013 11:34:51 -0500
Subject: "New" packet headers and gpg
In-Reply-To: <24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com>
References: <20130104025322.GA26567@singpolyma.net>
<09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com>
<20130104143922.GA1818@singpolyma-svelti>
<24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com>
Message-ID: <20130104163451.GA1869@singpolyma-svelti>
Somebody claiming to be David Shaw wrote:
>On Jan 4, 2013, at 9:39 AM, Stephen Paul Weber wrote:
>> Somebody claiming to be David Shaw wrote:
>>> On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote:
>>>> tell gpg or gpg2 to produce "new" packet length headers for output?
>>> No.
>> I was hoping that with all the "advanced mode, you probably don't care
>> about this" features, there would be one for this.
>
>You could patch the code (look in build-packet.c) fairly easily if you need
>this. Out of curiosity, why do you want to use only new packet headers?
I might do that if I get further along. I want to be able to have partial
OpenPGP implementations that only bother with new-style headers. Such
implementations' ouput can be read by gpg, but there's currently no way to
convince gpg to talk to them :)
My own implementations currently do support both kinds of headers, so it's
not a pressing need.
--
Stephen Paul Weber, @singpolyma
See for how I prefer to be contacted
edition right joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
From harningt at gmail.com Fri Jan 4 16:35:30 2013
From: harningt at gmail.com (Thomas Harning Jr.)
Date: Fri, 4 Jan 2013 10:35:30 -0500
Subject: Paperkey 1.3
In-Reply-To: <20130104100100.42b8e405@zetkin.int.primekey.se>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<20130104100100.42b8e405@zetkin.int.primekey.se>
Message-ID:
You may want to check out my blog post about key backup[1]. In it I
mention two bar-code style backup solutions:
* PaperBack [2]
* Twibright Optar [3]
I also investigated QR codes and other 2D bar codes.. however they did
not seem to scale well to large amounts of data...
I found that PaperBack, while being a Win32 app (runs fine in Wine)
works beautifully for storing quite a bit of data with redundancy and
handling for user-level printers. Quoting the page "If you have a good
laser printer with the 600 dpi resolution, you can save up to 500,000
bytes of uncompressed data on the single A4/Letter sheet." ... quite a
bit to store your entire secret keyring ... though you could use
paperkey + this to permit bumping up redundancy / dot-size quite a
bit.
Twibright Optar has quite a bit of promise, but requires quite a bit
of pre-processing and noise removal (not to mention source-code edit
to change dot-size to work nicely with non-super printers).
1: http://blog.eharning.us/2011/04/key-backup-for-paranoid.html
2: http://ollydbg.de/Paperbak/
3: http://ronja.twibright.com/optar/
On Fri, Jan 4, 2013 at 4:01 AM, Branko Majic wrote:
> On Thu, 3 Jan 2013 23:42:07 -0500
> David Shaw wrote:
>
>> Paperkey 1.3 is released. This adds ECC key support (both ECDH and
>> ECDSA) as well as a few more minor tweaks.
>>
>> Source and Win32 binaries are available at:
>> http://www.jabberwocky.com/software/paperkey/
>
> Curious piece of software. Certainly not something that comes to mind
> right away for making backups.
>
> I wonder if you could back-up even more by using 2D bar code for an
> output?
>
> Best regards
>
> --
> Branko Majic
> Jabber: branko at majic.rs
> Please use only Free formats when sending attachments to me.
>
> ?????? ?????
> ?????: branko at majic.rs
> ????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
Thomas Harning Jr. (http://about.me/harningt)
From dshaw at jabberwocky.com Fri Jan 4 18:31:14 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 12:31:14 -0500
Subject: Paperkey 1.3
In-Reply-To: <20130104100100.42b8e405@zetkin.int.primekey.se>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<20130104100100.42b8e405@zetkin.int.primekey.se>
Message-ID: <94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com>
On Jan 4, 2013, at 4:01 AM, Branko Majic wrote:
> On Thu, 3 Jan 2013 23:42:07 -0500
> David Shaw wrote:
>
>> Paperkey 1.3 is released. This adds ECC key support (both ECDH and
>> ECDSA) as well as a few more minor tweaks.
>>
>> Source and Win32 binaries are available at:
>> http://www.jabberwocky.com/software/paperkey/
>
> Curious piece of software. Certainly not something that comes to mind
> right away for making backups.
>
> I wonder if you could back-up even more by using 2D bar code for an
> output?
Sure, paperkey supports piping the output into whatever code generator you like:
gpg --export-secret-key mykey | paperkey --output-format raw | your-bar-code-generator
However, 2D bar codes have some of the problems that paperkey is intended to address. You need a 'thing' (a process, a device, etc) to read them, and part of the point of paperkey is that it's supposed to be the backup of last resort, and thus readable by a human without any special hardware involved.
You could also back up your whole key via a 2D bar code (without using paperkey at all) but then you're backing up a lot of redundant data, giving you a larger image. Of course, this may not be a big deal if the intent is to scan it back in again rather than type it back in again.
David
From vedaal at nym.hush.com Fri Jan 4 19:06:11 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Fri, 04 Jan 2013 13:06:11 -0500
Subject: paperkey // recommended OCR font ?
In-Reply-To: <16793717.1631@walmart.com>
Message-ID: <20130104180611.515B3E6726@smtp.hushmail.com>
My scanner is broken (lamp problem) and the multifunction printer hasn't arrived yet ;-( so I can't test this myself.
Has anyone tested Paperkey by scanning it in, having the OCR recognize it without error, and then successfully import it into a keyring ?
If so, what is the recommended font and size to be used for accurate OCR ?
OCR-A, OCR-B, Ordinary Courier 10, other ?
(I know that the purpose of Paperkey is to be able to type it in by hand, if all else fails ;-)
but if OCR works, it would make things much easier ... )
TIA
vedaal
From cogsci.k at gmail.com Fri Jan 4 18:39:08 2013
From: cogsci.k at gmail.com (Klaus Neumann)
Date: Fri, 04 Jan 2013 09:39:08 -0800
Subject: Paperkey 1.3
In-Reply-To: <50E6E6EB.2040801@vulcan.xs4all.nl>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<50E6E6EB.2040801@vulcan.xs4all.nl>
Message-ID: <50E713BC.4030102@gmail.com>
On 01/04/2013 06:27 AM, Johan Wevers wrote:
> On 04-01-2013 5:42, David Shaw wrote:
>
>> Paperkey 1.3 is released.
>
> You might want to update the website, it reads a bit outdated.
> CD/DVD-ROMs are going the way of the floppy disc; flash memory is much
> more reliable than either. Future support of USB ports or memory card
> readers seems the biggest concern for me.
>
Support for USB ports or card readers will not disappear over night.
Whenever the next better medium becomes common, you simply transfer your
back-ups. No reason to be concerned, IMHO.
--
Best regards,
Klaus
--------------
PGP/GPG public keys at http://pgp.mit.edu
_____________________________________________
?Political language? is designed to make lies sound truthful and murder
respectable.?
George Orwell
From dshaw at jabberwocky.com Fri Jan 4 20:30:43 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 14:30:43 -0500
Subject: Paperkey 1.3
In-Reply-To: <50E6E6EB.2040801@vulcan.xs4all.nl>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<50E6E6EB.2040801@vulcan.xs4all.nl>
Message-ID:
On Jan 4, 2013, at 9:27 AM, Johan Wevers wrote:
> On 04-01-2013 5:42, David Shaw wrote:
>
>> Paperkey 1.3 is released.
>
> You might want to update the website, it reads a bit outdated.
> CD/DVD-ROMs are going the way of the floppy disc; flash memory is much
> more reliable than either. Future support of USB ports or memory card
> readers seems the biggest concern for me.
That's a very good point. Do you know of any studies on the projected life of flash when used as backup? I've read anecdotal numbers as low as 5 years, and marketing claims are always huge (100 years!), but most of what I see is about the lifespan is when the flash is actively used (so running out of read/write cycles), rather than the on-the-shelf lifespan of already written data.
The few numbers I've seen at manufacturers websites about retention specifically, suggest it's around 10 years (depending on how well the flash is stored - heat makes it die quicker, etc).
David
From apadmaraju at prounlimited.com Fri Jan 4 18:34:37 2013
From: apadmaraju at prounlimited.com (Anilkumar Padmaraju)
Date: Fri, 4 Jan 2013 09:34:37 -0800
Subject: gnupg not working with RHEL 4
In-Reply-To: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
Message-ID:
Thank you very much, David.
Our other server is having 1.4.5 and to be consistent want to go from 1.2.6
to 1.4.5.
Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat Enterprise
Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this Linux
version? I did not find any information regarding this compatibility.
Thank you,
Anil.
On Fri, Jan 4, 2013 at 5:54 AM, David Shaw wrote:
> On Jan 3, 2013, at 2:37 PM, Anilkumar Padmaraju <
> apadmaraju at prounlimited.com> wrote:
>
> > Hi,
> >
> > This is an important issue for me. I would really appreciate, if any
> one can help.
> >
> > Server 1:
> > I have a server with Red Hat Enterprise Linux AS release 4 (Nahant
> Update 5) and having gnupg version 1.2.6.
> >
> >
> > When I am trying to import a key, I am getting below problem and the key
> is not getting imported. The key is 2048 bits.
> >
> >
> >
> > # gpg --import /key.asc
> > gpg: DSA requires the use of a 160 bit hash algorithm
>
> This means that you are trying to import a key with a version of GnuPG
> that is too old to understand it. That key uses a feature (called DSA2)
> that didn't exist in version 1.2.6 of GnuPG.
>
> > Unfortunately, I cannot upgrade Linux on Server 1. What I have to do to
> solve the problem with gpg import on Server 1?
>
> While you don't have to upgrade Linux on server 1, you do need to at least
> upgrade GnuPG.
>
> Go to http://www.gnupg.org/download/ and grab the latest 1.4 version of
> GnuPG (at the moment, it's 1.4.13). That is the easiest replacement for
> 1.2.6, and will handle that DSA2 key just fine.
>
> David
>
>
--
Anilkumar Padmaraju | Sr. Linux System Administrator
*PRO Unlimited, Inc.*
1350 Old Bayshore Highway, Suite 350, Burlingame, CA 94010
(o) 650-373-2484 | (m) 408-835-7599 | (e) apadmaraju at prounlimited.com
www.prounlimited.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ivfrost2-mail at yahoo.com Fri Jan 4 18:16:16 2013
From: ivfrost2-mail at yahoo.com (I.V. Frost)
Date: Fri, 04 Jan 2013 11:16:16 -0600
Subject: Paperkey 1.3
Message-ID: <50E70E60.6000903@yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Am I the only having trouble both the key for this message and the one
with the binaries? My installation tells me it is not Key ID:
0x99242560 but key 0xA1BC4FA4 which is not found on any server that I use.
David Shaw made the following observation on 1/3/2013 10:42 PM:
> Hi folks,
>
> Paperkey 1.3 is released. This adds ECC key support (both ECDH and
> ECDSA) as well as a few more minor tweaks.
>
> Source and Win32 binaries are available at:
> http://www.jabberwocky.com/software/paperkey/
-----BEGIN PGP SIGNATURE-----
Comment: what is essential is invisible to the eye
Comment: - Antoine de Saint Exupery
iEYEAREIAAYFAlDm96wACgkQsMrrDTRrXem+cQCgpf9rv9Zj7KHr9CMezbN0YjV6
f/gAn174BhbDynOMYspBeKFztlK//xd/
=ZjMc
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From dshaw at jabberwocky.com Fri Jan 4 21:18:17 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 15:18:17 -0500
Subject: Paperkey 1.3
In-Reply-To: <50E70E60.6000903@yahoo.com>
References: <50E70E60.6000903@yahoo.com>
Message-ID: <546CFFD3-A7E2-49E8-A953-DCF7D20D0F4D@jabberwocky.com>
On Jan 4, 2013, at 12:16 PM, "I.V. Frost" wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Am I the only having trouble both the key for this message and the one with the binaries? My installation tells me it is not Key ID: 0x99242560 but key 0xA1BC4FA4 which is not found on any server that I use.
0xA1BC4FA4 is a subkey on 0x99242560. It should be available on the keyserver network.
David
From wk at gnupg.org Fri Jan 4 21:23:45 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 04 Jan 2013 21:23:45 +0100
Subject: "New" packet headers and gpg
In-Reply-To: <20130104163451.GA1869@singpolyma-svelti> (Stephen Paul Weber's
message of "Fri, 4 Jan 2013 11:34:51 -0500")
References: <20130104025322.GA26567@singpolyma.net>
<09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com>
<20130104143922.GA1818@singpolyma-svelti>
<24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com>
<20130104163451.GA1869@singpolyma-svelti>
Message-ID: <87sj6gbstq.fsf@vigenere.g10code.de>
On Fri, 4 Jan 2013 17:34, singpolyma at singpolyma.net said:
> headers. Such implementations' ouput can be read by gpg, but there's
> currently no way to convince gpg to talk to them :)
I just checked the RFC and it says:
If interoperability [with PGP 2] is not an issue, the new packet
format is RECOMMENDED.
Thus there is nothing in the standard which would speak against using
the new headers. This can either be done using a new option or by using
for example the existing compliance option --rfc4880.
I don't assume that PGP 2 is still in use. With the recent addition of
IDEA even decryption of old data can now be done with vanilla GPG.
Shall we give this a test by using one of the compliance options and
make the new headers the default in one or two years? Less code is
always better.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From dshaw at jabberwocky.com Fri Jan 4 21:36:32 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 15:36:32 -0500
Subject: gnupg not working with RHEL 4
In-Reply-To:
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
Message-ID: <39121838-D366-4898-9052-C81685FCDEA0@jabberwocky.com>
On Jan 4, 2013, at 12:34 PM, Anilkumar Padmaraju wrote:
> Thank you very much, David.
>
> Our other server is having 1.4.5 and to be consistent want to go from 1.2.6 to 1.4.5.
>
> Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat Enterprise Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this Linux version? I did not find any information regarding this compatibility.
You could upgrade to 1.4.5, but this is not recommended. There have been a number of bug fixes between 1.4.5 and 1.4.13, and using the most recent version is usually the best course of action.
David
From wk at gnupg.org Fri Jan 4 21:45:42 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 04 Jan 2013 21:45:42 +0100
Subject: gnupg not working with RHEL 4
In-Reply-To:
(Anilkumar Padmaraju's message of "Fri, 4 Jan 2013 09:34:37 -0800")
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
Message-ID: <87obh4brt5.fsf@vigenere.g10code.de>
On Fri, 4 Jan 2013 18:34, apadmaraju at prounlimited.com said:
> Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat Enterprise
> Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this Linux
> version? I did not find any information regarding this compatibility.
GnuPG is compatible with all Unix style operating systems inclduing
Linux and RHEL [1]. You just need to build it yourself. And please use
the latest versions (1.4.13).
Shalom-Salam,
Werner
[1] And with VMS and Windows. However, you better get a prebuild
version for these OSes.
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From apadmaraju at prounlimited.com Fri Jan 4 22:09:11 2013
From: apadmaraju at prounlimited.com (Anilkumar Padmaraju)
Date: Fri, 4 Jan 2013 13:09:11 -0800
Subject: gnupg not working with RHEL 4
In-Reply-To: <87obh4brt5.fsf@vigenere.g10code.de>
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
<87obh4brt5.fsf@vigenere.g10code.de>
Message-ID:
Thank you, David and Werner.
This is first time I am upgrading gnupg. Are there any steps or document
to download source, compile, and upgrade? I did some search in google, but
could not find detailed one.
After upgrading do I have to do gpg --gen-key or it is only needed when we
install for the first time?
Thank you,
Anil.
On Fri, Jan 4, 2013 at 12:45 PM, Werner Koch wrote:
> On Fri, 4 Jan 2013 18:34, apadmaraju at prounlimited.com said:
>
> > Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat
> Enterprise
> > Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this
> Linux
> > version? I did not find any information regarding this compatibility.
>
> GnuPG is compatible with all Unix style operating systems inclduing
> Linux and RHEL [1]. You just need to build it yourself. And please use
> the latest versions (1.4.13).
>
>
> Shalom-Salam,
>
> Werner
>
>
>
> [1] And with VMS and Windows. However, you better get a prebuild
> version for these OSes.
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>
--
Anilkumar Padmaraju | Sr. Linux System Administrator
*PRO Unlimited, Inc.*
1350 Old Bayshore Highway, Suite 350, Burlingame, CA 94010
(o) 650-373-2484 | (m) 408-835-7599 | (e) apadmaraju at prounlimited.com
www.prounlimited.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From singpolyma at singpolyma.net Fri Jan 4 22:37:14 2013
From: singpolyma at singpolyma.net (Stephen Paul Weber)
Date: Fri, 4 Jan 2013 16:37:14 -0500
Subject: simple-sk-checksum
Message-ID: <20130104213714.GC1838@singpolyma-svelti>
The manpage for gpg sez:
> Secret keys are integrity protected by using a SHA-1 checksum. This
> method is part of the upcoming enhanced OpenPGP specification but GnuPG
> already uses it as a countermeasure against certain attacks. Old
> applications don't under? stand this new format, so this
> option may be used to switch back to the old behaviour. Using this option
> bears a security risk.
Does anyone know what the actual security risk is? Using a weaker checksum
obviously makes it easier to forge data, but in this case the data being
forged is just the secret parts of a secret key. What are the attack
vectors there?
--
Stephen Paul Weber, @singpolyma
See for how I prefer to be contacted
edition right joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
From dshaw at jabberwocky.com Fri Jan 4 22:53:44 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 16:53:44 -0500
Subject: simple-sk-checksum
In-Reply-To: <20130104213714.GC1838@singpolyma-svelti>
References: <20130104213714.GC1838@singpolyma-svelti>
Message-ID: <33BBCE6A-5E00-419E-83D4-D6F61B11B28E@jabberwocky.com>
On Jan 4, 2013, at 4:37 PM, Stephen Paul Weber wrote:
> The manpage for gpg sez:
>
>> Secret keys are integrity protected by using a SHA-1 checksum. This method is part of the upcoming enhanced OpenPGP specification but GnuPG already uses it as a countermeasure against certain attacks. Old applications don't under? stand this new format, so this
>> option may be used to switch back to the old behaviour. Using this option bears a security risk.
>
> Does anyone know what the actual security risk is? Using a weaker checksum obviously makes it easier to forge data, but in this case the data being forged is just the secret parts of a secret key. What are the attack vectors there?
http://eprint.iacr.org/2002/076.pdf
David
From singpolyma at singpolyma.net Fri Jan 4 23:08:09 2013
From: singpolyma at singpolyma.net (Stephen Paul Weber)
Date: Fri, 4 Jan 2013 17:08:09 -0500
Subject: simple-sk-checksum
In-Reply-To: <33BBCE6A-5E00-419E-83D4-D6F61B11B28E@jabberwocky.com>
References: <20130104213714.GC1838@singpolyma-svelti>
<33BBCE6A-5E00-419E-83D4-D6F61B11B28E@jabberwocky.com>
Message-ID: <20130104220809.GD1838@singpolyma-svelti>
Somebody claiming to be David Shaw wrote:
>On Jan 4, 2013, at 4:37 PM, Stephen Paul Weber wrote:
>> Does anyone know what the actual security risk is? Using a weaker
>> checksum obviously makes it easier to forge data, but in this case the
>> data being forged is just the secret parts of a secret key. What are the
>> attack vectors there?
>
>http://eprint.iacr.org/2002/076.pdf
Thanks! That paper implies that both the public *and* private elements must
be integrity protected to defeat the attack (depending on algorithm),
however it seems that only the private elements are protected by the SHA1
under RFC4880. Was the need to protect the public elements discovered to be
unnecessary?
--
Stephen Paul Weber, @singpolyma
See for how I prefer to be contacted
edition right joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
From apadmaraju at prounlimited.com Fri Jan 4 23:49:09 2013
From: apadmaraju at prounlimited.com (Anilkumar Padmaraju)
Date: Fri, 4 Jan 2013 14:49:09 -0800
Subject: gnupg not working with RHEL 4
In-Reply-To:
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
<87obh4brt5.fsf@vigenere.g10code.de>
Message-ID:
I am using http://www.faqs.org/docs/securing/chap19sec152.html to do the
upgrade. Please let me know, if I have to do any additional steps.
Since I am already using gpg on this server, do I have to do "gpg
--gen-key" after the upgrade?
Thank you,
Anil.
On Fri, Jan 4, 2013 at 1:09 PM, Anilkumar Padmaraju <
apadmaraju at prounlimited.com> wrote:
> Thank you, David and Werner.
>
> This is first time I am upgrading gnupg. Are there any steps or document
> to download source, compile, and upgrade? I did some search in google, but
> could not find detailed one.
>
> After upgrading do I have to do gpg --gen-key or it is only needed when we
> install for the first time?
>
> Thank you,
>
> Anil.
>
> On Fri, Jan 4, 2013 at 12:45 PM, Werner Koch wrote:
>
>> On Fri, 4 Jan 2013 18:34, apadmaraju at prounlimited.com said:
>>
>> > Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat
>> Enterprise
>> > Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this
>> Linux
>> > version? I did not find any information regarding this compatibility.
>>
>> GnuPG is compatible with all Unix style operating systems inclduing
>> Linux and RHEL [1]. You just need to build it yourself. And please use
>> the latest versions (1.4.13).
>>
>>
>> Shalom-Salam,
>>
>> Werner
>>
>>
>>
>> [1] And with VMS and Windows. However, you better get a prebuild
>> version for these OSes.
>>
>> --
>> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From dshaw at jabberwocky.com Sat Jan 5 01:17:13 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2013 19:17:13 -0500
Subject: paperkey // recommended OCR font ?
In-Reply-To: <20130104180611.515B3E6726@smtp.hushmail.com>
References: <20130104180611.515B3E6726@smtp.hushmail.com>
Message-ID: <7172B295-A418-4746-BD9A-3B44A99EF8F7@jabberwocky.com>
On Jan 4, 2013, at 1:06 PM, vedaal at nym.hush.com wrote:
> My scanner is broken (lamp problem) and the multifunction printer hasn't arrived yet ;-( so I can't test this myself.
>
>
> Has anyone tested Paperkey by scanning it in, having the OCR recognize it without error, and then successfully import it into a keyring ?
>
> If so, what is the recommended font and size to be used for accurate OCR ?
>
> OCR-A, OCR-B, Ordinary Courier 10, other ?
I've done this, with regular old Courier. It basically worked, with a few glitches that I had to correct by hand. Paperkey has a checksum on each line so you can easily tell which line got the glitch. I suspect a OCR font would have done better.
David
From rjh at sixdemonbag.org Sat Jan 5 04:23:53 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 04 Jan 2013 22:23:53 -0500
Subject: paperkey // recommended OCR font ?
In-Reply-To: <7172B295-A418-4746-BD9A-3B44A99EF8F7@jabberwocky.com>
References: <20130104180611.515B3E6726@smtp.hushmail.com>
<7172B295-A418-4746-BD9A-3B44A99EF8F7@jabberwocky.com>
Message-ID: <50E79CC9.3000107@sixdemonbag.org>
On 1/4/2013 7:17 PM, David Shaw wrote:
> I've done this, with regular old Courier.
My experiences are similar. One additional thing: the larger the font
the easier it is for OCR to recognize it (up to a point: I doubt there's
much difference between 48- and 72-point recognition). So try using 12-
or 14-point if possible.
From johanw at vulcan.xs4all.nl Sat Jan 5 13:55:26 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Sat, 05 Jan 2013 13:55:26 +0100
Subject: Paperkey 1.3
In-Reply-To:
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl>
Message-ID: <50E822BE.2020409@vulcan.xs4all.nl>
On 04-01-2013 20:30, David Shaw wrote:
> That's a very good point. Do you know of any studies on the projected life of flash
> when used as backup?
That depends strongly on the type of flash. NOR-flash, which is not used
any more in new devices gave problems after not many rewrites. NAND
flash is much more durable.
However, when you buy a new device and use it for long term backup
purposes (no/very few rewrites) AFAIK it can last very long. The main
thing that could damage it when it's just stored is radioactive
radiation like cosmic rays.
Personally I'm a heavy user of USB flash, also for backups, and the only
problems I ever had were software related (e.g. a 64-bit windows 7
computer that had the tendency to corrupt Truecrypt images). Of cource
this is anecdotical and I seem to be lucky about it; my oldest CD-ROM
backups from 1998 are also still readable.
> The few numbers I've seen at manufacturers websites about retention specifically,
> suggest it's around 10 years (depending on how well the flash is
stored - heat
> makes it die quicker, etc).
My oldest flash drive is still readable but it's not 10 years old yet.
But I am keeping it and will test it every now and then.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From dkg at fifthhorseman.net Sat Jan 5 20:26:59 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sat, 05 Jan 2013 14:26:59 -0500
Subject: gnupg not working with RHEL 4
In-Reply-To:
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
<87obh4brt5.fsf@vigenere.g10code.de>
Message-ID: <50E87E83.5080208@fifthhorseman.net>
On 01/04/2013 04:09 PM, Anilkumar Padmaraju wrote:
> This is first time I am upgrading gnupg. Are there any steps or document
> to download source, compile, and upgrade? I did some search in google, but
> could not find detailed one.
>
> After upgrading do I have to do gpg --gen-key or it is only needed when we
> install for the first time?
GnuPG is software for working with OpenPGP material (keys, signatures,
and encrypted messages). Newer versions of GnuPG will continue to work
with pre-existing OpenPGP material.
This means that you should not need to generate another OpenPGP key just
because your version of GnuPG was upgraded. Your existing OpenPGP key
should continue to work.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From kwadronaut at aktivix.org Sun Jan 6 00:39:05 2013
From: kwadronaut at aktivix.org (kwadronaut)
Date: Sun, 06 Jan 2013 00:39:05 +0100
Subject: key revocation reasons in frontends/gnupg
Message-ID: <50E8B999.1010701@aktivix.org>
Hi,
I was thinking/discussing rfc2440 5.2.3.22. Reason for Revocation. I'd
love to hear opinions why it would or wouldn't make sense to have this
information easy(easier) available with gnupg or some frontends. I
personally find it very convenient to point people to that packet to say
that I for example have a new key that superseded the old one. But maybe
you have other opinions? For sake of easiness I'll paste here the
relevant RFC section:
(1 octet of revocation code, N octets of reason string)
This subpacket is used only in key revocation and certification
revocation signatures. It describes the reason why the key or
certificate was revoked.
The first octet contains a machine-readable code that denotes the
reason for the revocation:
0x00 - No reason specified (key revocations or cert revocations)
0x01 - Key is superceded (key revocations)
0x02 - Key material has been compromised (key revocations)
0x03 - Key is no longer used (key revocations)
0x20 - User id information is no longer valid (cert revocations)
Following the revocation code is a string of octets which gives
information about the reason for revocation in human-readable form
(UTF-8). The string may be null, that is, of zero length. The length
of the subpacket is the length of the reason string plus one.
Ciao,
Kwadronaut
From cloos at jhcloos.com Sun Jan 6 02:02:47 2013
From: cloos at jhcloos.com (James Cloos)
Date: Sat, 05 Jan 2013 20:02:47 -0500
Subject: paperkey // recommended OCR font ?
In-Reply-To: <20130104180611.515B3E6726@smtp.hushmail.com>
(vedaal@nym.hush.com's message of "Fri, 04 Jan 2013 13:06:11 -0500")
References: <20130104180611.515B3E6726@smtp.hushmail.com>
Message-ID:
>>>>> "v" == vedaal writes:
v> If so, what is the recommended font and size to be used for accurate OCR ?
v> OCR-A, OCR-B, Ordinary Courier 10, other ?
I've tried it once. I used ocr-a since it was available and seemed
likely to be easiest to scan. And, although some might disagree, I
also find it easy to read.
I just gave it a try w/o paper, using mpage to generate postscript,
OCRA for the font, gs to render the ps to pbm, and gocr to extract
the text. I needed to run >>tr \;_ ::<< on the extracted text, but
with that paperkey was able to generate a new secring.
So be aware that you may need to massage the ocr'ed data to recover
paperkey's format, but it should mostly work.
Using OCRB or Courier, gocr wasn't able to recover the text well enough.
Tesseract did better with Courier-Bold, but needed >>tr Ol 01< OpenPGP: 1024D/ED7DAEA6
From mwood at IUPUI.Edu Mon Jan 7 16:39:12 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Mon, 7 Jan 2013 10:39:12 -0500
Subject: Paperkey 1.3
In-Reply-To:
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<50E6E6EB.2040801@vulcan.xs4all.nl>
Message-ID: <20130107153911.GB23569@IUPUI.Edu>
On Fri, Jan 04, 2013 at 02:30:43PM -0500, David Shaw wrote:
> On Jan 4, 2013, at 9:27 AM, Johan Wevers wrote:
>
> > On 04-01-2013 5:42, David Shaw wrote:
> >
> >> Paperkey 1.3 is released.
> >
> > You might want to update the website, it reads a bit outdated.
> > CD/DVD-ROMs are going the way of the floppy disc; flash memory is much
> > more reliable than either. Future support of USB ports or memory card
> > readers seems the biggest concern for me.
>
> That's a very good point. Do you know of any studies on the projected life of flash when used as backup? I've read anecdotal numbers as low as 5 years, and marketing claims are always huge (100 years!), but most of what I see is about the lifespan is when the flash is actively used (so running out of read/write cycles), rather than the on-the-shelf lifespan of already written data.
I'd suggest assuming some periodic read-only use, since we *should* be
testing our backups regularly to discover decay *before* it makes
something irretrievable.
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
There's an app for that: your browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
From peter at digitalbrains.com Mon Jan 7 17:54:15 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 07 Jan 2013 17:54:15 +0100
Subject: Paperkey 1.3
In-Reply-To: <20130107153911.GB23569@IUPUI.Edu>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl>
<20130107153911.GB23569@IUPUI.Edu>
Message-ID: <50EAFDB7.5060003@digitalbrains.com>
On 07/01/13 16:39, Mark H. Wood wrote:
> I'd suggest assuming some periodic read-only use, since we *should* be
> testing our backups regularly to discover decay *before* it makes
> something irretrievable.
I would assume the decay to make it irretrievable the moment you discover
it. Hoping the bit flips in a non-vital piece of (meta)data seems like a
risky backup strategy.
Flash memory stores its data as an electrical charge, which can leak away.
It does so very slowly, but it still does[1]. We are talking about years.
And reading a cell does not "refresh" it, so read-only use will in principle
not do anything to extend the storage time.
Peter.
[1] Johan Wevers mentioned radioactive radiation. Sounds plausible to me,
that should be capable of knocking electrons away, I'd think as a layman.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
From Dave.Smith at st.com Mon Jan 7 17:05:32 2013
From: Dave.Smith at st.com (David Smith)
Date: Mon, 7 Jan 2013 16:05:32 +0000
Subject: Paperkey 1.3
In-Reply-To: <94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<20130104100100.42b8e405@zetkin.int.primekey.se>
<94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com>
Message-ID: <50EAF24C.6000606@st.com>
On 01/04/13 17:31, David Shaw wrote:
> Sure, paperkey supports piping the output into whatever code generator you like:
>
> gpg --export-secret-key mykey | paperkey --output-format raw | your-bar-code-generator
>
> However, 2D bar codes have some of the problems that paperkey is intended to address. You need a 'thing' (a process, a device, etc) to read them, and part of the point of paperkey is that it's supposed to be the backup of last resort, and thus readable by a human without any special hardware involved.
True, but OTOH, whilst hardware devices do tend to become obsolete
relatively quickly, the algorithms tend to have more longevity. For
example, you might struggle to find one of the earlier 1d bar code
reader pens that I remember from the 1980s around now, and even the
software used for reading and interpreting them will probably have
disappeared, but the overall mechanism is still widely used.
I would suggest that we are going to have "devices for scanning paper to
a digital image" for quite a few years yet (whether they are SCSI-based
ones from years ago, through USB-connected multi-function printers, to
digital cameras and beyond. 2d bar codes (and the algorithms needed to
process them) are well-specified, so even if the existing software
becomes unusable, it could be re-written for a new platform.
I'm not saying that there isn't a place for printing the key out in
ASCII; just that it might be a good idea to print it out as a 2d barcode
as well, so that if recovery were necessary and the appropriate HW and
SW were available, that could be used to recover substantially more data
(since the whole key record could be encoded in a relatively small
space), and then fall back on the ASCII version if the barcode is
unrecoverable.
From apadmaraju at prounlimited.com Mon Jan 7 19:32:16 2013
From: apadmaraju at prounlimited.com (Anilkumar Padmaraju)
Date: Mon, 7 Jan 2013 10:32:16 -0800
Subject: gnupg not working with RHEL 4
In-Reply-To: <50E87E83.5080208@fifthhorseman.net>
References:
<60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com>
<87obh4brt5.fsf@vigenere.g10code.de>
<50E87E83.5080208@fifthhorseman.net>
Message-ID:
Thank you, Daniel.
Anil.
On Sat, Jan 5, 2013 at 11:26 AM, Daniel Kahn Gillmor
wrote:
> On 01/04/2013 04:09 PM, Anilkumar Padmaraju wrote:
> > This is first time I am upgrading gnupg. Are there any steps or document
> > to download source, compile, and upgrade? I did some search in google,
> but
> > could not find detailed one.
> >
> > After upgrading do I have to do gpg --gen-key or it is only needed when
> we
> > install for the first time?
>
> GnuPG is software for working with OpenPGP material (keys, signatures,
> and encrypted messages). Newer versions of GnuPG will continue to work
> with pre-existing OpenPGP material.
>
> This means that you should not need to generate another OpenPGP key just
> because your version of GnuPG was upgraded. Your existing OpenPGP key
> should continue to work.
>
> hth,
>
> --dkg
>
>
--
Anilkumar Padmaraju | Sr. Linux System Administrator
*PRO Unlimited, Inc.*
1350 Old Bayshore Highway, Suite 350, Burlingame, CA 94010
(o) 650-373-2484 | (m) 408-835-7599 | (e) apadmaraju at prounlimited.com
www.prounlimited.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bd9439 at att.com Mon Jan 7 22:14:16 2013
From: bd9439 at att.com (DUELL, BOB)
Date: Mon, 7 Jan 2013 21:14:16 +0000
Subject: Invalid packet error message
Message-ID:
Hi,
When trying to decrypt a file, we are getting this error message:
gpg: [don't know]: invalid packet (ctb=70)
Does anyone know what this means? I tried several Google searches but can't find anything relevant. FWIW, here is the command (all one line):
gpg --homedir /opt/app/apps/dbmprod/gpg --local-user "mykeyID"
--output imdm_extract_20121221.dat
--decrypt imdm_extract_20121221.dat.pgp
Thanks,
Bob
From josef at netpage.dk Mon Jan 7 21:49:05 2013
From: josef at netpage.dk (Josef Schneider)
Date: Mon, 7 Jan 2013 21:49:05 +0100
Subject: Paperkey 1.3
In-Reply-To: <50EAFDB7.5060003@digitalbrains.com>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<50E6E6EB.2040801@vulcan.xs4all.nl>
<20130107153911.GB23569@IUPUI.Edu> <50EAFDB7.5060003@digitalbrains.com>
Message-ID:
On Mon, Jan 7, 2013 at 5:54 PM, Peter Lebbing wrote:
> Flash memory stores its data as an electrical charge, which can leak away.
> It does so very slowly, but it still does[1]. We are talking about years.
> And reading a cell does not "refresh" it, so read-only use will in principle
> not do anything to extend the storage time.
Still you can't be sure that the controller or flash cells won't just
stop working.
Yesterday, a new MicroSD card of mine just stopped working.
At first one folder was unreadable and fsck didn't work, then after
unplugging and re-plugging it all file names where gibberish, the card
got hot and I unplugged it.
Since then it's detected as unformated and no write access is possible.
This is the second MicroSD card where this happens for me. While
yesterday this was after less than a day, the other one broke after
about a month of heavy usage in my smart phone.
And while with a CD or DVD you probably still can read parts of the
data (especially if you have e.g. PAR2 files to recover it) if a flash
storage of any kind stops working, realistically you can't do anything
to rescue even parts of the data.
And while most hard disks that broke showed some signs of that (via
SMART or increased sound level) all flash memory devices more or less
stopped working from one moment to the other. (but then, I don't have
very much data)
So I wouldn't trust any flash memory for long time storage.
From bd9439 at att.com Tue Jan 8 00:31:20 2013
From: bd9439 at att.com (DUELL, BOB)
Date: Mon, 7 Jan 2013 23:31:20 +0000
Subject: Invalid packet error message
In-Reply-To:
References:
Message-ID:
-----Original Message-----
>From: breaka at srv1.adept-hosting.net [mailto:breaka at srv1.adept-hosting.net] On Behalf Of Anonymous
>Sent: Monday, January 07, 2013 3:14 PM
>To: DUELL, BOB
>Subject: Re: Invalid packet error message
>
>> gpg
>> --homedir /opt/app/apps/dbmprod/gpg
>> --local-user "mykeyID"
>> --imdm_extract_20121221.dat
>> --decrypt imdm_extract_20121221.dat.pgp
>>
>
>
>make --output imdm_extract_20121221.dat
>last in command line
>
>[reply to list]
Unfortunately, that's not it; I get:
gpg: WARNING: unsafe permissions on homedir `/opt/app/apps/dbmprod/gpg'
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
usage: gpg [options] --decrypt [filename]
Also, here is my setup:
bd9439 at dspsas01 $ gpg --homedir /opt/app/apps/dbmprod/gpg --version
gpg: WARNING: unsafe permissions on homedir `/opt/app/apps/dbmprod/gpg'
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /opt/app/apps/dbmprod/gpg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
And yes, I know it's an old version. I just have not had a reason to upgrade; what we have has worked fine (until now). And yes, the "unsafe permissions" is understood. I have this installed in a "public" directory so all users can decrypt files (we have a common key to receive files from outside sources). This is the first time I've seen such a message. We will ask the outside sourced to re-encrypt and re-send the file (perhaps it was corrupted during FTP), but I'm curious what this error message means.
Thanks!
Bob
From wk at gnupg.org Tue Jan 8 09:17:45 2013
From: wk at gnupg.org (Werner Koch)
Date: Tue, 08 Jan 2013 09:17:45 +0100
Subject: Invalid packet error message
In-Reply-To:
(BOB DUELL's message of "Mon, 7 Jan 2013 21:14:16 +0000")
References:
Message-ID: <871udw6qc6.fsf@vigenere.g10code.de>
On Mon, 7 Jan 2013 22:14, bd9439 at att.com said:
> gpg: [don't know]: invalid packet (ctb=70)
>
> Does anyone know what this means? I tried several Google searches but
Your input data is corrupted. OpenPGP messages are constructed from
several packets, each packets starts with a tag byte commonly called CTB
indicating the type of the packet and how the length of the packet is
specified. 0x70 is not a valid CTB, thus you see this message.
A common cause for a corrupted message is the use of a non binary clean
channel (e.g. using ftp without switching to binary mode). Mail
software may also corrupt the message. Ask the sender of the message to
encapsulate it in a ZIP or tar file and than unzip it before decrypting.
If this works or you can't unzip it your transport channel is non 8 bit
clean. A quick work around would be the use of the --armor or -a
option.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From John at enigmail.net Tue Jan 8 10:26:00 2013
From: John at enigmail.net (John Clizbe)
Date: Tue, 08 Jan 2013 03:26:00 -0600
Subject: Paperkey 1.3
In-Reply-To: <50E70E60.6000903@yahoo.com>
References: <50E70E60.6000903@yahoo.com>
Message-ID: <50EBE628.8010106@enigmail.net>
I.V. Frost wrote:
>
> Am I the only having trouble both the key for this message and the one
> with the binaries? My installation tells me it is not Key ID:
> 0x99242560 but key 0xA1BC4FA4 which is not found on any server that I use.
>
Something sounds odd about the search criteria or keyserver selection.
Searching for the subkey 0xA1BC4FA4:
http://keyserver.gingerbear.net:11371/pks/lookup?search=0xA1BC4FA4&fingerprint=on&op=index
returns the key:
Search results for '0xa1bc4fa4'
Type bits/keyID Date User ID
pub 4096R/99242560 2002-01-28 David M. Shaw
Fingerprint=7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
This should be true of any of the SKS keyservers out there.
(I'm syncing with 75 other servers)
--
John P. Clizbe Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 863 bytes
Desc: OpenPGP digital signature
URL:
From bd9439 at att.com Tue Jan 8 16:10:25 2013
From: bd9439 at att.com (DUELL, BOB)
Date: Tue, 8 Jan 2013 15:10:25 +0000
Subject: Invalid packet error message
In-Reply-To: <871udw6qc6.fsf@vigenere.g10code.de>
References:
<871udw6qc6.fsf@vigenere.g10code.de>
Message-ID:
Thanks for the excellent explanation!
Before I ask for the file to be retransmitted, one quick question (perhaps obvious but bear with me):
If I ask the sender to use the -a option, the resulting file will be ASCII and as such, I would download it as "text" from our FTP server, not "binary", correct?
It just occurred to me that the problem was on the sender's side; perhaps they uploaded the file as "text" when they placed it on our FTP server (we use an intermediary FTP site). At any rate, I think I understand now.
Thanks very much!
Bob
-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org]
Sent: Tuesday, January 08, 2013 12:18 AM
To: DUELL, BOB
Cc: gnupg-users at gnupg.org
Subject: Re: Invalid packet error message
On Mon, 7 Jan 2013 22:14, bd9439 at att.com said:
> gpg: [don't know]: invalid packet (ctb=70)
>
> Does anyone know what this means? I tried several Google searches but
Your input data is corrupted. OpenPGP messages are constructed from
several packets, each packets starts with a tag byte commonly called CTB
indicating the type of the packet and how the length of the packet is
specified. 0x70 is not a valid CTB, thus you see this message.
A common cause for a corrupted message is the use of a non binary clean
channel (e.g. using ftp without switching to binary mode). Mail
software may also corrupt the message. Ask the sender of the message to
encapsulate it in a ZIP or tar file and than unzip it before decrypting.
If this works or you can't unzip it your transport channel is non 8 bit
clean. A quick work around would be the use of the --armor or -a
option.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From mwood at IUPUI.Edu Tue Jan 8 16:25:39 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Tue, 8 Jan 2013 10:25:39 -0500
Subject: Paperkey 1.3
In-Reply-To: <50EAFDB7.5060003@digitalbrains.com>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<50E6E6EB.2040801@vulcan.xs4all.nl>
<20130107153911.GB23569@IUPUI.Edu>
<50EAFDB7.5060003@digitalbrains.com>
Message-ID: <20130108152539.GB3657@IUPUI.Edu>
On Mon, Jan 07, 2013 at 05:54:15PM +0100, Peter Lebbing wrote:
> On 07/01/13 16:39, Mark H. Wood wrote:
> > I'd suggest assuming some periodic read-only use, since we *should* be
> > testing our backups regularly to discover decay *before* it makes
> > something irretrievable.
>
> I would assume the decay to make it irretrievable the moment you discover
> it. Hoping the bit flips in a non-vital piece of (meta)data seems like a
> risky backup strategy.
[Hmmm, we are diverging a bit from Paperkey.]
This is why backup formats typically have internal redundancy.
(Printing the data as characters on paper adds a *lot* of redundancy.)
Depending on the medium, you might include error-correcting codes that
can recover from single-bit errors. If you catch it at that stage,
you can copy it out and discard the failing medium.
Some codes will also detect errors that can't be corrected, so that
you know *now* to throw this medium away and make a new copy of your
other backup. (You *do* have another backup?) If you wait, they may
both turn out to be corrupt.
Every backup medium decays. Long-term backups should be:
o armored against bit-level decay;
o tested regularly to detect degradation in progress;
o replicated (and the replicas housed separately);
o periodically refreshed or copied to new media.
I realize that most of us don't do any of that which didn't come with
the software, but we should. :-/
Of course, if an active device (like a flash stick) just stops working
and starts smoking, nothing can be recovered from it. That's one of
the reasons you keep two of them.
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
There's an app for that: your browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
From vedaal at nym.hush.com Tue Jan 8 18:49:07 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 08 Jan 2013 12:49:07 -0500
Subject: Paperkey 1.3 // very durable but often overlooked backup medium
Message-ID: <20130108174907.E9E35E6726@smtp.hushmail.com>
Back in the shrouded mists of time, in the last millenium, before digital media were widely accessible,
many libraries and archives used to back up data on microfiche.
Many of them had built in printers, so that 'text' data could be retrieved, printed out,
(and then, as the technology became widely available), scanned into digital format.
http://www.wisegeek.org/what-is-microfiche.htm
The above article gives the following interesting (?overly optimistic?) durability estimate:
=====[ begin quote ]=====
The polyester material on which the images are printed is also very stable and,
if kept in a temperature controlled environment, is estimated to last as long as 500 years.
CD-ROMs are estimated to last for about 75 - 100 years,
depending on the materials they are made of and how they are stored.
=====[ end quote ]=====
(as an old darkroom B&W hobbyist, I remember specific instructions on how to prepare prints for 'Archival Quality'
[adjust development time so that the print could tolerate 2 minutes in a fixer tray without overly darkening],
this produced an estimate then of 75 year durability.)
Preserving only monochrome text probably has much greater durability.
Anyone come across specific recommendations for paper, printer, and storage recommendations for 'Archival Paper Backup' ?
TIA
vedaal
From avi.wiki at gmail.com Tue Jan 8 19:00:59 2013
From: avi.wiki at gmail.com (Avi)
Date: Tue, 8 Jan 2013 13:00:59 -0500
Subject: Paperkey 1.3 // very durable but often overlooked backup medium
In-Reply-To: <20130108174907.E9E35E6726@smtp.hushmail.com>
References: <20130108174907.E9E35E6726@smtp.hushmail.com>
Message-ID:
These sites may prove interesting:
<
http://www.familyarchives.com/pages/documents-how-to-preserve-your-documents.html
>
This book, perhaps:
--Avi
----
User:Avraham
pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key)
Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E
29F9
On Tue, Jan 8, 2013 at 12:49 PM, wrote:
> Archival Paper Backup
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From vedaal at nym.hush.com Tue Jan 8 20:37:41 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 08 Jan 2013 14:37:41 -0500
Subject: Paperkey 1.3 // very durable but often overlooked backup medium
In-Reply-To:
References: <20130108174907.E9E35E6726@smtp.hushmail.com>
Message-ID: <20130108193741.8BABBE6718@smtp.hushmail.com>
On Tuesday, January 08, 2013 at 2:13 PM, "Avi" wrote:
>
>These sites may prove interesting:
>
><
>http://www.familyarchives.com/pages/documents-how-to-preserve-your-
>documents.html
>>
>maintenance/index.html>
>
Excellent !
Thanks!
vedaal
From oub at mat.ucm.es Tue Jan 8 23:02:51 2013
From: oub at mat.ucm.es (Uwe Brauer)
Date: Tue, 08 Jan 2013 23:02:51 +0100
Subject: embedded public key in signature as in smime.
Message-ID: <87lic3fi44.fsf@mat.ucm.es>
Hello
Are there any plans to modify the signature (backward compatible?) such
that it contains the public key embedded as in smime?
thanks
Uwe Brauer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4474 bytes
Desc: not available
URL:
From dkg at fifthhorseman.net Tue Jan 8 23:21:58 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 08 Jan 2013 17:21:58 -0500
Subject: embedded public key in signature as in smime.
In-Reply-To: <87lic3fi44.fsf@mat.ucm.es>
References: <87lic3fi44.fsf@mat.ucm.es>
Message-ID: <50EC9C06.9020205@fifthhorseman.net>
On 01/08/2013 05:02 PM, Uwe Brauer wrote:
> Are there any plans to modify the signature (backward compatible?) such
> that it contains the public key embedded as in smime?
Not that i know of. Why do you think this would be useful?
You could do all of this within the existing OpenPGP specification, but
to make it actually useful (and not just bloat your signatures in ways
that no one else bothers to take advantage of) you might want to modify
GnuPG a bit.
Here are some thoughts on how you might approach it if you think this is
a worthwhile goal.
OpenPGP notations: https://tools.ietf.org/html/rfc4880#section-5.2.3.16
To send this sort of thing, you'd just need to pick a standard name for
the notation, and use gpg's --sig-notation argument in some reasonable
way. Reading gpg(1), it seems like you might want to extend the
%-escaping to make some code (e.g. %X) include the full key in some format.
That's just the sending side. then you'd have to take care of the
receiving side.
If you wanted gpg to interpret something like this automatically, you'd
need to consider the concern that now the previously read-only activity
of evaluating a signature has side effects that might modify your
keyring. This is has some of the same issues (except for the "web bug"
concern) as gpg's "--keyserver-options auto-key-retrieve" option, as
well as "--verify-options pka-lookups" though, so it has some precedent
in the existing codebase.
So to extend gpg, you might add some other --verify-options directive
like import-embedded-key-notation.
make sense?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From oub at mat.ucm.es Wed Jan 9 15:35:54 2013
From: oub at mat.ucm.es (Uwe Brauer)
Date: Wed, 09 Jan 2013 15:35:54 +0100
Subject: embedded public key in signature as in smime.
References: <87lic3fi44.fsf@mat.ucm.es>
<50EC9C06.9020205__1946.69991401515$1357683802$gmane$org@fifthhorseman.net>
Message-ID: <87vcb6whit.fsf@gilgamesch.quim.ucm.es>
>> "Daniel" == Daniel Kahn Gillmor writes:
> On 01/08/2013 05:02 PM, Uwe Brauer wrote:
>> Are there any plans to modify the signature (backward compatible?) such
>> that it contains the public key embedded as in smime?
> Not that i know of. Why do you think this would be useful?
I think it would make it easier to interchange public keys.
I have tried over many years to encourage my friends to use pgp, one of
the obstacles was the extraction and interchange of the public keys.
I started to use smime recently and besides its flaws I have to admit
that the key interchange is easier (most likely be more insecure)
> You could do all of this within the existing OpenPGP specification, but
> to make it actually useful (and not just bloat your signatures in ways
> that no one else bothers to take advantage of) you might want to modify
> GnuPG a bit.
> Here are some thoughts on how you might approach it if you think this is
> a worthwhile goal.
> OpenPGP notations: https://tools.ietf.org/html/rfc4880#section-5.2.3.16
thanks
[snip]
> So to extend gpg, you might add some other --verify-options directive
> like import-embedded-key-notation.
> make sense?
I think it does, but it sounds like a project for the (far) future.
regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4474 bytes
Desc: not available
URL:
From wk at gnupg.org Wed Jan 9 16:32:20 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 09 Jan 2013 16:32:20 +0100
Subject: embedded public key in signature as in smime.
In-Reply-To: <87vcb6whit.fsf@gilgamesch.quim.ucm.es> (Uwe Brauer's message of
"Wed, 09 Jan 2013 15:35:54 +0100")
References: <87lic3fi44.fsf@mat.ucm.es>
<50EC9C06.9020205__1946.69991401515$1357683802$gmane$org@fifthhorseman.net>
<87vcb6whit.fsf@gilgamesch.quim.ucm.es>
Message-ID: <87d2xe4bjv.fsf@vigenere.g10code.de>
On Wed, 9 Jan 2013 15:35, oub at mat.ucm.es said:
> I started to use smime recently and besides its flaws I have to admit
> that the key interchange is easier (most likely be more insecure)
With S/MIME you can send the keys because it is a centralized system and
all trust comes the root certificate which has already need installed on
the system. Actually sending the the certificate with the mail is
required because there is no easy other way to retrieve a certificate.
With OpenPGP we have it much easier and do not need to resort to that
silliness of sending several K of certificates for a one liner.
Sending the certificate is even bad because it implies that you never
need to look out for revocations. The funny thing is that S/MIME looks
online for revocations, but can't do so for certificates. Thus the
argument of using a more secure offline connections is a bit flawed.
BTW, if you are able to put the keyblock/certificate into the DNS, users
have an easy way to get it.
You may also configure your mail client to always attach the OpenPGP
key, that makes it pretty clear and easy to send you (or Mallory) an
encrypted reply.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From sbsubram at in.ibm.com Thu Jan 10 13:38:58 2013
From: sbsubram at in.ibm.com (Suresh B Subramanyam)
Date: Thu, 10 Jan 2013 18:08:58 +0530
Subject: Clarification sought on GnuPG v1.4.12
Message-ID:
Hi GPG user group,
I am trying to use Gnu PG v1.4.12 in one of my project. I have downloaded
the source gnupg-1.4.12-1.aix5.1.ppc.rpm from
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/gnupg.html
as I could not find any download link for this version in Gnu PG website.
However, I am facing some issues in compiling the source
Is there a link from where I can get the binary of 1.4.12 version, from
where I can download and readily use.
I intend to use this on AIX 5.3 platform
Any help will be appreciated.
Thanks and Regards,
Suresh B Subramanyam
SA3 2F 015, Bangalore, India
Ph: +91 80 41772421
From wk at gnupg.org Fri Jan 11 14:20:21 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 11 Jan 2013 14:20:21 +0100
Subject: Clarification sought on GnuPG v1.4.12
In-Reply-To:
(Suresh B. Subramanyam's message of "Thu, 10 Jan 2013 18:08:58 +0530")
References:
Message-ID: <877gnjx3e2.fsf@vigenere.g10code.de>
On Thu, 10 Jan 2013 13:38, sbsubram at in.ibm.com said:
> the source gnupg-1.4.12-1.aix5.1.ppc.rpm from
>
> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/gnupg.html
I don't know that but it sounds like a Linux distribution which may have
been patched and thus might not anymore work on other Unix platforms
> as I could not find any download link for this version in Gnu PG website.
We are not distributing binaries and binaries for Linux won't work
on AIX.
> > I intend to use this on AIX 5.3 platform
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.13.tar.gz
is the latest version and should build fine on any Unix platform.
Please use 1.4.13 and not the old 1.4.12, we recently found and fixed a
DoS bug.
Note: There is a report that the new IDEA code does don't work on PPC,
thus you may want to use the --disable-idea option:
./configure --disable-idea
make
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From dshaw at jabberwocky.com Mon Jan 14 05:39:59 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 13 Jan 2013 23:39:59 -0500
Subject: Paperkey 1.3
In-Reply-To: <50EAF24C.6000606@st.com>
References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com>
<20130104100100.42b8e405@zetkin.int.primekey.se>
<94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com>
<50EAF24C.6000606@st.com>
Message-ID: <1B257E37-9059-4981-9458-FDE2D166A34A@jabberwocky.com>
On Jan 7, 2013, at 11:05 AM, David Smith wrote:
> On 01/04/13 17:31, David Shaw wrote:
>> Sure, paperkey supports piping the output into whatever code generator you like:
>>
>> gpg --export-secret-key mykey | paperkey --output-format raw | your-bar-code-generator
>>
>> However, 2D bar codes have some of the problems that paperkey is intended to address. You need a 'thing' (a process, a device, etc) to read them, and part of the point of paperkey is that it's supposed to be the backup of last resort, and thus readable by a human without any special hardware involved.
>
> True, but OTOH, whilst hardware devices do tend to become obsolete
> relatively quickly, the algorithms tend to have more longevity. For
> example, you might struggle to find one of the earlier 1d bar code
> reader pens that I remember from the 1980s around now, and even the
> software used for reading and interpreting them will probably have
> disappeared, but the overall mechanism is still widely used.
>
> I would suggest that we are going to have "devices for scanning paper to
> a digital image" for quite a few years yet (whether they are SCSI-based
> ones from years ago, through USB-connected multi-function printers, to
> digital cameras and beyond. 2d bar codes (and the algorithms needed to
> process them) are well-specified, so even if the existing software
> becomes unusable, it could be re-written for a new platform.
This is exactly the point. Algorithms may stay around, but if have to reconstruct printed data given only knowledge of the encoding algorithm (without the hardware intended to read it, or the software intended to reconstruct the data), well, it's possible, but sure as heck won't be quick or cheap for someone with image processing experience, or even possible for the majority of people without that knowledge.
Paperkey often spawns this discussion about how we could use scannable paper images using x, y, or z encoding, or favorite brands of burnable CDs that will last, etc. No doubt, favorite flash brands will be discussed in the future. These are all interesting discussions, but it's sort of missing the point. Paperkey is a way to store your key in a way that needs nothing more than eyes and a keyboard to restore, and uses a medium that can last for many times the greatest human lifespan. The disadvantage is that it's potentially annoying to recover a key from paper (i.e. typing in a several hundred hex bytes without error). There are per line checksums to make this easier, so you know where a mistake is, and you can use OCR to save on typing, but still, you have to get the bytes from paper into a computer somehow. All that is fine, as paperkey does not, and is not intended to, replace a backup of your secret keys. It's not where you should be going if your primary storage goes poof.
> I'm not saying that there isn't a place for printing the key out in
> ASCII; just that it might be a good idea to print it out as a 2d barcode
> as well
Exactly. Keep proper backups! Paperkey is for when that backup fails, for when your CD stops working, for when the driver for your scanning pen isn't maintained on your new computer, or for when cosmic rays have rendered your flash corrupt. It's the backup of last resort, and as such should need nothing other than nothing other than the ability to read numbers and type them in again to restore, hence my comment about not favoring a 2D barcode paperkey.
David
From sini.ruohomaa at cs.helsinki.fi Sun Jan 13 22:50:59 2013
From: sini.ruohomaa at cs.helsinki.fi (sini.ruohomaa at cs.helsinki.fi)
Date: Sun, 13 Jan 2013 23:50:59 +0200
Subject: [Enigmail] Problem with automated decryption of encrypted drafts?
(Key unlocking popup nightmares)
In-Reply-To: <877gnvfl6k.fsf@vigenere.g10code.de>
References:
<50E4042D.2090907@enigmail.net> <50E48162.50502@fifthhorseman.net>
<877gnvfl6k.fsf@vigenere.g10code.de>
Message-ID: <50F32C43.3010001@cs.helsinki.fi>
Hi,
Sorry, I was hoping I could find a solution for this so I could report
it but only got to a state where I've minimized the effects by avoidance
behaviour. :/
One "solution" to work around this would be to let my email program
always cache my key until the end of the session and only have this
problem once per session (I have multihour sessions, it wouldn't help a
whole lot to just cache for a couple of hours), but
a) my heart bleeds over the thought that I have to accept the ever so
slightly reduced security just to not be harassed repeatedly for
decryption I have not requested. (Why ask the user in the first place if
this is the only way to go, etc.) Also,
b) it still means that just having Enigmail installed gives me random
key unlock requests, apparently even on sessions where I'm not handling
encrypted mail. As long as this stands I've chosen not to install the
plugin in one of my TB setups where I don't have time for playing
around, just because the hassle is too big; I'd rather have to cutpaste
the mails manually out of TB for decryption if I need them than take the
popup windows. So this bothers me.
This is what I've managed to do. I'd appreciate if someone could
eliminate that some of these actions are not necessary/useful for peace
from popups:
- I turned off all automatic decryption I could find (have to
manually press the 'decrypt' button now - and have started to wish it
would be an "Other Actions" in the message preview pane too ;))
- I also turned off all other TB features that sound even remotely
like they're trying to read messages. This includes search indexing
and spam filtering.
- I changed my drafts saving to be local instead of on the IMAP server,
just in case that would spare me from key unlocking popups (this
too causes minor inconvenience so I may have to revert it, I'm hoping
it doesn't make a difference).
- I have a per-recipient rule to encrypt mail, so to those recipients I
don't type in the recipient before I'm about to send.
- I don't click on the encryption key to indicate I want to encrypt
the message before I'm about to send either. (It'd be really great if
this wasn't a problem, too, because it increases the probability of
forgetting.)
This session I got an unwarranted popup asking for a key unlock:
- while I was editing my message filters (I don't *think* I had any
encryption-related mails open at the time, it just came as a
surprise and got me to start this mail; it's not easily reproduceable)
- expectedly when I tried to save as draft a mail that was marked to
be encrypted (to test the window grab one more time),
- after I deleted an encrypted test draft mail from my Drafts folder and
the preview pane moved on to an unencrypted mail (this one, actually),
- after I first turned _off_ encrypting on the open draft message from
the yellow key icon in the bottom right corner, and made sure it was
deleted from the Drafts folder, and THEN tried to save it as draft
(this seems to be a bug, shouldn't it start saving the draft
as cleartext at that point?)
- after autosave wanted to save said test mail a couple of minutes
later; after that I didn't change it so it's been peaceful.
For the most part, I seem to get through my sessions with little
harrassment currently as long as I don't do anything unusual or handle
encrypted mails, but I still have problems replying to encrypted mails
(that is, besides decrypting them to be read and to be replied to, which
I find completely reasonable). Because the replies are by default
encrypted, the draft autosaving keeps wanting to decrypt the result even
though the message is open in front of me. (This also occasionally leads
to a strange effect that my draft folder starts to fill up with copies
of the draft message over time, but I'm not able to reproduce it with my
test message.)
[Pinentry grabs X session]
> On Wed, 2 Jan 2013 19:50, dkg at fifthhorseman.net said:
>>> GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR
>>> there is an option in gpg-agent.conf to disable blocking the X session.
>
> It is called --no-grab.
I may be dense since gpg-agent always seems to defeat me whenever I get
close to it. But I added this option to a new file,
~/.gnupg/gpg-agent.conf. It now contains the line "no-grab" and nothing
else. I also made sure the Preferences > Advanced > "Use gpg-agent for
passphrases" option was set. The resulting command in the console is
"gpg --charset utf-8 --display-charset utf-8 --batch --no-tty
--status-fd 2 --decrypt --use-agent".
This has no effect on the blocking effect of the popup windows asking
for my key passphrase. I can change window focus out of the popup by
moving my mouse around, but I cannot do anything in the other windows.
I'm not sure what I'm doing wrong.
>> Do any gnupg contributors have suggestions about the "fails to cache my
>> 'cancels'" concern Sini raised above? I'm not sure how the pieces could
>
> I am not sure what he means. However, recent GnuPG's and pinentries
> have a cancel-all feature: Either the pinentry features an appropriate
> button or you use the close-window button of the pinentry which also
> sends the cancel-all message.
>
> This is useful if gpg starts looking for --throw-keyid keys and you know
> that you don't have the key.
This feature may also theoretically exist, but unfortunately it makes no
difference for me if I hit 'cancel' or close the window from the upper
right button; I'll still get the dialogue repeatedly if it's coming
repeatedly. I suspect it's just because gpg-agent is immediately being
asked a second time after I cancel, as my Enigmail console seems to
suggest. I've been unable to start an Enigmail log file.
Sorry about the length, too high threshold to complain on mailing lists,
don't want to do it multiple times. X-)
Best regards,
--Sini
From jussi.kivilinna at mbnet.fi Mon Jan 14 08:34:09 2013
From: jussi.kivilinna at mbnet.fi (Jussi Kivilinna)
Date: Mon, 14 Jan 2013 09:34:09 +0200
Subject: Gpg Aes-ni
In-Reply-To:
References:
Message-ID: <20130114093409.12381kpklsgkt5gg@www.dalek.fi>
Hello,
gpg 1.4.13 does not have AES-NI acceleration. You'd need to use gpg
2.0.x with libgcrypt version that has AES-NI support (libgcrypt 1.5.0
or newer).
If you have more questions with regards to GnuPG, please use GnuPG
mailing list (gnupg-users at gnupg.org) instead.
-Jussi
Quoting Ertunga Arsal :
> Hi Jussi,
>
> Does the latest cli, gpg 1.4.13 support AES-NI?
>
> Does a command like gpg -r abc at esnc.de --cipher-algo AES256
> --compress-algo none --encrypt xyz.bin use the accelerated routines?
>
> I'm currently receiving 30MB throughput, it should be actually close
> to 500MB. Is there a way to make it work?
>
> Kind regards,
> Ertunga
>
> ___________
> Ertunga Arsal, CISSP, ISSAP
> ESNC GmbH
> Bliesstr. 16 66538 Neunkirchen
> Tel : +49-6821-920-6852
> Fax : +49-6821-912-7354
> ertunga.arsal at esnc.de
> http://www.esnc.de
> HRB 18216 Saarbr?cken
>
>
From leotreasure at gmail.com Tue Jan 15 08:49:43 2013
From: leotreasure at gmail.com (Leo Treasure)
Date: Tue, 15 Jan 2013 18:49:43 +1100
Subject: Problem with keys
Message-ID: <50F50A17.1070107@gmail.com>
Hello,
I'm relatively new to GPG but I'm having this problem I need some advice on.
When I clear sign a message using a newly created key pair it always
chooses the sub key instead of the main key. This happens even when
using --default-key .
In my settings, GPGPreferences I have the correct key in default key
selected. Also in ~/.gnupg/gpg.conf the default-key has the main key's ID.
I am running OS X Mountain Lion and the latest version of GPG
(GnuPG/MacGPG2) 2.0.19
I did not put an email address when creating the key is about the only
unusual thing I have done.
Any suggestions?
From mailinglisten at hauke-laging.de Tue Jan 15 17:10:06 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Tue, 15 Jan 2013 17:10:06 +0100
Subject: Problem with keys
In-Reply-To: <50F50A17.1070107@gmail.com>
References: <50F50A17.1070107@gmail.com>
Message-ID: <2016360.QT2BuaKC7L@inno>
Am Di 15.01.2013, 18:49:43 schrieb Leo Treasure:
> When I clear sign a message using a newly created key pair it always
> chooses the sub key instead of the main key. This happens even when
> using --default-key .
This is the expected behaviour. Why don't you want to use your subkey?
You can force the usage of the mainkey:
--local-user 0x1a571df5\!
--default-key 0x1a571df5\!
(the \ is for the shell and not always necessary)
The main key should not be available for normal usage. The keyword is: offline
mainkey.
Hauke
--
?
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL:
From leotreasure at gmail.com Wed Jan 16 07:42:38 2013
From: leotreasure at gmail.com (Leo Treasure)
Date: Wed, 16 Jan 2013 17:42:38 +1100
Subject: Problem with keys
In-Reply-To: <50F6160F.4010802@gmail.com>
References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno>
<50F6160F.4010802@gmail.com>
Message-ID: <50F64BDE.5060406@gmail.com>
On 16/01/13 3:10 AM, Hauke Laging wrote:
Am Di 15.01.2013, 18:49:43 schrieb Leo Treasure:
> When I clear sign a message using a newly created key pair it always
> chooses the sub key instead of the main key. This happens even when
> using --default-key .
This is the expected behaviour. Why don't you want to use your subkey?
You can force the usage of the mainkey:
--local-user 0x1a571df5\!
--default-key 0x1a571df5\!
(the \ is for the shell and not always necessary)
The main key should not be available for normal usage. The keyword is:
offline mainkey.
Hauke
-- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit
2012-11-04) http://www.openpgp-schulungen.de/
Thanks Hauke! I needed to use the main key to interface with a Bitcoin
exchange mpex.co. I first exported my ascii armoured public key and sent
it. For subsequent orders the exchange operator needs me to sign with
the same main key.
I'm not sure if this is a normal use or not. Do you mean that the main
key is offline so it is the private key?
Sorry if this is a silly question I'm still coming to grips with GPG.
Much appreciate your help!
Leo
From dkg at fifthhorseman.net Wed Jan 16 17:54:33 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 16 Jan 2013 11:54:33 -0500
Subject: Problem with keys
In-Reply-To: <50F64BDE.5060406@gmail.com>
References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno>
<50F6160F.4010802@gmail.com> <50F64BDE.5060406@gmail.com>
Message-ID: <50F6DB49.6040106@fifthhorseman.net>
On 01/16/2013 01:42 AM, Leo Treasure wrote:
> Thanks Hauke! I needed to use the main key to interface with a Bitcoin
> exchange mpex.co. I first exported my ascii armoured public key and sent
> it. For subsequent orders the exchange operator needs me to sign with
> the same main key.
I note that your key 0x46EEEA4C06CD1637 is a bit unusual in that its
subkey is marked as signing-capable. with the default gpg --gen-key
creation, the primary key is usually marked as capable for signing and
certification, and the subkey is marked as just encryption-capable.
how did you create this key?
Despite it being unusual, it's entirely reasonable and within the
OpenPGP spec to have a signing-capable subkey.
You should tell mpex.co that their system needs to support
signing-capable subkeys.
Feel free to point them to this discussion, and to encourage them to ask
here if they're unclear about what that means or how they might do so.
> I'm not sure if this is a normal use or not. Do you mean that the main
> key is offline so it is the private key?
no, your primary key is not offline unless you've taken steps to put it
offline (you would know if you had done so). Hauke was making a
suggestion of something else you could do.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From dkg at fifthhorseman.net Thu Jan 17 03:48:44 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 16 Jan 2013 21:48:44 -0500
Subject: Problem with keys
In-Reply-To: <50F7648C.9060306@gmail.com>
References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno>
<50F6160F.4010802@gmail.com> <50F64BDE.5060406@gmail.com>
<50F6DB49.6040106@fifthhorseman.net> <50F7648C.9060306@gmail.com>
Message-ID: <50F7668C.70908@fifthhorseman.net>
On 01/16/2013 09:40 PM, Leo Treasure wrote:
> Thanks dkg. I created the key under normal circumstances using version:
> gpg (GnuPG/MacGPG2) 2.0.19
> libgcrypt 1.5.0
i'm afraid i don't know what "the normal circumstances" are for MacGPG
-- maybe there's better forum for MacGPG someplace?
> When setting up the keypair I did not provide an email address.
that's OK, the e-mail address is part of the User ID, and the choice of
User ID(s) is orthogonal to the settings on your primary key or any of
your subkeys.
> Could it be that I am using the Mac version that I got this unusual
> keypair setup?
Maybe -- i have never tried it. Perhaps someone else else on this list
has more experience with it, though. If MacGPG is setting up default
keys with such unusual usage flags, it'd be good to know about it.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL:
From leotreasure at gmail.com Thu Jan 17 03:40:12 2013
From: leotreasure at gmail.com (Leo Treasure)
Date: Thu, 17 Jan 2013 13:40:12 +1100
Subject: Problem with keys
In-Reply-To: <50F6DB49.6040106@fifthhorseman.net>
References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno>
<50F6160F.4010802@gmail.com> <50F64BDE.5060406@gmail.com>
<50F6DB49.6040106@fifthhorseman.net>
Message-ID: <50F7648C.9060306@gmail.com>
Thanks dkg. I created the key under normal circumstances using version:
gpg (GnuPG/MacGPG2) 2.0.19
libgcrypt 1.5.0
When setting up the keypair I did not provide an email address.
Could it be that I am using the Mac version that I got this unusual
keypair setup?
Regards,
Leo
On 17/01/13 3:54 AM, Daniel Kahn Gillmor wrote:
> On 01/16/2013 01:42 AM, Leo Treasure wrote:
>> Thanks Hauke! I needed to use the main key to interface with a Bitcoin
>> exchange mpex.co. I first exported my ascii armoured public key and sent
>> it. For subsequent orders the exchange operator needs me to sign with
>> the same main key.
>
> I note that your key 0x46EEEA4C06CD1637 is a bit unusual in that its
> subkey is marked as signing-capable. with the default gpg --gen-key
> creation, the primary key is usually marked as capable for signing and
> certification, and the subkey is marked as just encryption-capable.
>
> how did you create this key?
>
> Despite it being unusual, it's entirely reasonable and within the
> OpenPGP spec to have a signing-capable subkey.
>
> You should tell mpex.co that their system needs to support
> signing-capable subkeys.
>
> Feel free to point them to this discussion, and to encourage them to ask
> here if they're unclear about what that means or how they might do so.
>
>> I'm not sure if this is a normal use or not. Do you mean that the main
>> key is offline so it is the private key?
>
> no, your primary key is not offline unless you've taken steps to put it
> offline (you would know if you had done so). Hauke was making a
> suggestion of something else you could do.
>
> --dkg
>
>
From anychem at tormail.org Sat Jan 19 00:57:24 2013
From: anychem at tormail.org (anychem at tormail.org)
Date: Fri, 18 Jan 2013 23:57:24 -0000
Subject: No subject
Message-ID: <1TwLoK-000IKU-Rr@internal.tormail.org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (MingW32)
mQENBE8/u9wBCAC1C/RQwrIiOIWeIthV0aaoLUZUyiI6pIO0NLcTnBtqmWdVXYrA
LOxI3XroHpmuj8z3P5iW6HzSsbgGq9+3WaJn+dIY6ttSSuCw2Lc4l4b5grCuOyRp
4++U8OAoaHHtepfxBww+YeLbC3iY4xZ2yNL27enyyOkJQ9cLVEaC+Iy6hssGAuAK
Vyafv9gLiTdPu6cvkccxQe8DdSnP6P+X2B9WJ9pkvGxvY6xhc9AQ5ssghWMD0F22
VbGSin9IaEyGgo2hEYNcEId8W8Cffor0Y6td17QvalGA6kQlRN9s9fhoK3sDEyNK
UN/5TxiybbI5zjpcByYzq9c7Vjh+5sf/AGMBABEBAAG0J1BlYWNlYW5kbG92ZSA8
cGVhY2VhbmRsb3ZlQHRvcm1haWwubmV0PokBPgQTAQIAKAUCTz+73AIbIwUJCWYB
gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQIzpxeVm6A6Egdgf/bpDIpW7P
USbc3jeqa8BfzhrjvqN9iFVQDfdoJy3TU+aAROSGaaf/BtBisnkxv/zDSMX266KK
4KCR8P4IzvZqb0IG5pVmJpc0IOmJxTpUphXJThvY12Dt6FFW5pmNPwJMvnI56yy0
X15Xi7fdHTF7qh3OXYoETVT3RSPbqpOSVARSEz66yMWJX6omxbBSVUemGRlfv5Nu
jYe3vFg4VReUHwAkFcTn5siY9y/wdI1DoQBTC+qPkCGi/sp07E8YULdH8gzWBVQH
NNj1Mo29741/V3qnwEd2IG7gWdWvWf+qiLUIDBVPgwnQpKPxSNGRNdlz/WHzn1S+
OGj36Ikf3K2/hbkBDQRPP7vcAQgA9b7R5zlw9FgTWcfv/YNYjfdYkAZEeFfgkjfY
JlK6IlXQD/QY8eQl6YzdtbRPbnxn3zfk28PBecltOQDUaJsorSPMb2pvypDmMsSr
n2j9Go4ETn3a1D3LkNw8s98Y/UfCLnHTZJjEY9SX9p49f9yjA7Ct4MxhzlC6bMb8
YsNSJDoDMefklvmd3+qSxxDmdBn8DAqWamoeTC1mh7lfzLEYVVQJKCzR4YFulnnr
FD3SE1smQ8iST6YLlOqZsSuomX+uSOEuKdJRpJBQSNavP1HK/4tVrabEwmuL0CFF
/2agPV62ozO6RFIuehRW8mMIcBrazHDDTQmiLO8r/vPOqV0CXQARAQABiQElBBgB
AgAPBQJPP7vcAhsMBQkJZgGAAAoJECM6cXlZugOhG64IAJ8WVrQsLvg4A+BuMzT8
oB1O4iD/5hHOgMEI7XYQtvHyOtLCiQ+svyuds2eGB+fnNYP2+0JG5zxxgxJkDOZ7
hK+Pw3lkzK/Im2CF1F6sP9kgrIkNTkvUeZwTxx0cxLkzleHh31MBbkUd5M8SK/1C
aGNMA7WR92n4U+6E7/+JXVERB6wBEP0B+YdhRDjdhtmUCZy/j0cd2d/VgZovkKUs
GeVNc1VUTWAL+5gTTGozOVY66Wg1ZrMvOvq3hjQ6H7NwTY5AOENNZvKslr5PGMp5
FdRikO/ajXYAaNC0ixe3ONgq7pSfeXWt9R7S3IAwhrnb0O2lDz460BTfo2xvontP
13E=
=yg76
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (MingW32)
mQENBE8/u9wBCAC1C/RQwrIiOIWeIthV0aaoLUZUyiI6pIO0NLcTnBtqmWdVXYrA
LOxI3XroHpmuj8z3P5iW6HzSsbgGq9+3WaJn+dIY6ttSSuCw2Lc4l4b5grCuOyRp
4++U8OAoaHHtepfxBww+YeLbC3iY4xZ2yNL27enyyOkJQ9cLVEaC+Iy6hssGAuAK
Vyafv9gLiTdPu6cvkccxQe8DdSnP6P+X2B9WJ9pkvGxvY6xhc9AQ5ssghWMD0F22
VbGSin9IaEyGgo2hEYNcEId8W8Cffor0Y6td17QvalGA6kQlRN9s9fhoK3sDEyNK
UN/5TxiybbI5zjpcByYzq9c7Vjh+5sf/AGMBABEBAAG0J1BlYWNlYW5kbG92ZSA8
cGVhY2VhbmRsb3ZlQHRvcm1haWwubmV0PokBPgQTAQIAKAUCTz+73AIbIwUJCWYB
gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQIzpxeVm6A6Egdgf/bpDIpW7P
USbc3jeqa8BfzhrjvqN9iFVQDfdoJy3TU+aAROSGaaf/BtBisnkxv/zDSMX266KK
4KCR8P4IzvZqb0IG5pVmJpc0IOmJxTpUphXJThvY12Dt6FFW5pmNPwJMvnI56yy0
X15Xi7fdHTF7qh3OXYoETVT3RSPbqpOSVARSEz66yMWJX6omxbBSVUemGRlfv5Nu
jYe3vFg4VReUHwAkFcTn5siY9y/wdI1DoQBTC+qPkCGi/sp07E8YULdH8gzWBVQH
NNj1Mo29741/V3qnwEd2IG7gWdWvWf+qiLUIDBVPgwnQpKPxSNGRNdlz/WHzn1S+
OGj36Ikf3K2/hbkBDQRPP7vcAQgA9b7R5zlw9FgTWcfv/YNYjfdYkAZEeFfgkjfY
JlK6IlXQD/QY8eQl6YzdtbRPbnxn3zfk28PBecltOQDUaJsorSPMb2pvypDmMsSr
n2j9Go4ETn3a1D3LkNw8s98Y/UfCLnHTZJjEY9SX9p49f9yjA7Ct4MxhzlC6bMb8
YsNSJDoDMefklvmd3+qSxxDmdBn8DAqWamoeTC1mh7lfzLEYVVQJKCzR4YFulnnr
FD3SE1smQ8iST6YLlOqZsSuomX+uSOEuKdJRpJBQSNavP1HK/4tVrabEwmuL0CFF
/2agPV62ozO6RFIuehRW8mMIcBrazHDDTQmiLO8r/vPOqV0CXQARAQABiQElBBgB
AgAPBQJPP7vcAhsMBQkJZgGAAAoJECM6cXlZugOhG64IAJ8WVrQsLvg4A+BuMzT8
oB1O4iD/5hHOgMEI7XYQtvHyOtLCiQ+svyuds2eGB+fnNYP2+0JG5zxxgxJkDOZ7
hK+Pw3lkzK/Im2CF1F6sP9kgrIkNTkvUeZwTxx0cxLkzleHh31MBbkUd5M8SK/1C
aGNMA7WR92n4U+6E7/+JXVERB6wBEP0B+YdhRDjdhtmUCZy/j0cd2d/VgZovkKUs
GeVNc1VUTWAL+5gTTGozOVY66Wg1ZrMvOvq3hjQ6H7NwTY5AOENNZvKslr5PGMp5
FdRikO/ajXYAaNC0ixe3ONgq7pSfeXWt9R7S3IAwhrnb0O2lDz460BTfo2xvontP
13E=
=yg76
-----END PGP PUBLIC KEY BLOCK-----
hi, need help to cantact peaceandlove
From expires2013 at ymail.com Sun Jan 20 01:25:37 2013
From: expires2013 at ymail.com (MFPA)
Date: Sun, 20 Jan 2013 00:25:37 +0000
Subject:
In-Reply-To: <1TwLoK-000IKU-Rr@internal.tormail.org>
References: <1TwLoK-000IKU-Rr@internal.tormail.org>
Message-ID: <1679636413.20130120002537@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Friday 18 January 2013 at 11:57:24 PM, in
, anychem at tormail.org
wrote:
> hi, need help to cantact peaceandlove
If you give a little more info, people are more likely to be able to
help. I suggest you try posting again addressing some of the questions
below, and giving your message a descriptive subject line.
What help do you need?
What are you trying to achieve?
What is going wrong?
Which operating system are you using?
And which GnuPG version?
And what email software?
- --
Best regards
MFPA mailto:expires2013 at ymail.com
Why is the universe here? Well, where else would it be?
-----BEGIN PGP SIGNATURE-----
iQCVAwUBUPs5mKipC46tDG5pAQpagwP/WO4+FZLyF13N4t0W025hvBYZmM8IyYMw
cWiDa6LCaDht1ojE18E+pEzr30bXg9o70NlBS6BJ/3Poz6d/DQoq5Ly064FNvWz6
vlmmLRt86951+Ex2xRF0x/h8dtVOaN3/6j2wCtbT22K89QQiBvlmcMLeJLA7+EX9
aGsAnmDKXzE=
=qttw
-----END PGP SIGNATURE-----
From sradithya at gmail.com Sun Jan 20 04:17:37 2013
From: sradithya at gmail.com (raja aditya)
Date: Sat, 19 Jan 2013 21:17:37 -0600
Subject: gpg: out of memory while allocating 8192 bytes - HELP NEEDED
Message-ID:
Hi All,
We are receiving the below error message when trying to encrypt or decrypt
a file on AIX server :
*gpg: out of memory while allocating 8192 bytes*
gpg process was working for years on the server until the day we started to
see this.
This same gpg encryption is working on an other AIX server in the same
environment. Many options were tried including copying the gpg from the
server that's working on, recycling the server etc. But the error is
persisting.
This is not a problem with any one specific id or a group of id's. Any id
trying to encrypt/decrypt is getting this error. Hence this is observed at
a server level and not at a user or id level.
We have an other server with identical settings where it is working
normally. Even restoring the file system from this server didn't help.
The server memory is just fine and is well within limits. Even trying to
encrypt / decrypt an empty or a 3 record file is facing a problem, hence
its irrespective of the file size or who is trying to encrypt/decrypt it.
Sample Error :
/home>touch simple1
/home >chmod 777 simple1
/home >/opt/TWWfsw/gnupg12/bin/gpg --encrypt-file simple1
You did not specify a user ID. (you may use "-r")
Enter the user ID. End with an empty line: sradithya
*gpg: out of memory while allocating 8192 bytes*
/home >
The issue that surprises is that it also worked for a day after the crash
recovery. Its only the next day that it stopped working.
No visible changes happened in that one day nor any new file systems were
restored. The fact that it worked for a day after crash and then lost is
perplexing.
Any help or suggestions on this or any clues to look out for would be of a
invaluable help to me. Please post any suggestions that you may have.
Best Regards,
Aditya
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rmorgan466 at gmail.com Mon Jan 21 17:56:58 2013
From: rmorgan466 at gmail.com (Rita)
Date: Mon, 21 Jan 2013 11:56:58 -0500
Subject: passing information among several users
Message-ID:
Hello,
Here is what I am trying to do in my environment.
I have 6 users: maseruser and user{A,B,C,D,E}
Masteruser will be generating data and I would like userA and userC be able
to decypt the data and others not to. However, in the future I would like
to add userE to decrypt the data and remove userA (any old data she has is
fine). I was wondering how I can achieve this using gpg
--
--- Get your facts first, then you can distort them as you please.--
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From johanw at vulcan.xs4all.nl Mon Jan 21 21:19:43 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Mon, 21 Jan 2013 21:19:43 +0100
Subject: passing information among several users
In-Reply-To:
References:
Message-ID: <50FDA2DF.7040201@vulcan.xs4all.nl>
On 21-01-2013 17:56, Rita wrote:
> I have 6 users: maseruser and user{A,B,C,D,E}
Make also 6 keypais for each user.
> Masteruser will be generating data and I would like userA and userC be
> able to decypt the data and others not to.
Encrypt it to the public key of users A and C.
> However, in the future I
> would like to add userE to decrypt the data and remove userA (any old
> data she has is fine).
Encrypt the new messages only to the keys of C and E.
> I was wondering how I can achieve this using gpg
The eaqsiest way is to define a group in gpg.conf:
group receivers=01234567 ABCDEF89
where 01234567 and ABCDEF89 are the key ID's of the receivers.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From jeandavid8 at verizon.net Mon Jan 21 20:43:35 2013
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Mon, 21 Jan 2013 14:43:35 -0500
Subject: passing information among several users
In-Reply-To:
References:
Message-ID: <50FD9A67.7070305@verizon.net>
On 01/21/2013 11:56 AM, Rita wrote:
> Hello,
>
>
> Here is what I am trying to do in my environment.
>
>
> I have 6 users: maseruser and user{A,B,C,D,E}
>
> Masteruser will be generating data and I would like userA and userC be
> able to decypt the data and others not to. However, in the future I
> would like to add userE to decrypt the data and remove userA (any old
> data she has is fine). I was wondering how I can achieve this using gpg
>
Sure you can do this.
Or do you want to know how?
1.) get gnupg software. http://gnupg.org/
Install it, generate your keys and your revocation certificate (you
never know when you will need ont.
2.) Upload your public key to a keyserver.
3, Have A, and C do the same.
3a.) If you want to anytime, have B and D do it too.
4.) When you want to send data get the public keys for A and C.
5.) Encrypt these data with the public the public keys of A and C.
Am I missing something?
From david at systemoverlord.com Wed Jan 23 00:33:01 2013
From: david at systemoverlord.com (David Tomaschik)
Date: Tue, 22 Jan 2013 15:33:01 -0800
Subject: Rugged ID-000 form factor card reader?
Message-ID:
Does anyone know of a more rugged ID-000 (SIM card size) smart card reader
than the Gemalto? I'm thinking of something with a metal case perhaps?
The reason I ask is that I've had 2 gemalto readers have the plastic part
that attaches to a keyring break off. I would hate to lose my smart card
in this way.
Even better would be a new smart card with a form factor similar to the
Yubikey Nano (https://www.yubico.com/products/yubikey-hardware/yubikey-nano/)
but that might be a pipe dream.
--
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From aokunlola at gmail.com Wed Jan 23 02:59:35 2013
From: aokunlola at gmail.com (Akinola Okunlola)
Date: Tue, 22 Jan 2013 20:59:35 -0500
Subject: Patch for using GPG on 64 bit Matching
Message-ID:
Hi fellow gnupg-users,
I am new to gpg arena though I have used PGP in the past.
We have 64-bit servers and I was wondering if there is a Patch to apply to
gpg so it could run successfully on 64 bit.
Please let me know.
Currently, my command line scripts does not run when automated but I can
run them manually.
Please help.
AO
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From js at vinci-info.com Wed Jan 23 12:40:06 2013
From: js at vinci-info.com (Johannes Scholz)
Date: Wed, 23 Jan 2013 12:40:06 +0100
Subject: gpg on windows 2008 running from task scheduler as NT
AUTHORITY\SYSTEM fails with exit code 255
Message-ID:
Hello,
I am trying to run some gpg operations from a script on windows.
Said script works perfectly fine when I run it as a "normal" user account.
When launched from the task scheduler (which launches the script as NT AUTHORITY\SYSTEM) it just exits, the exit code is being set to 255.
Nothing on stderr or stdout.
One example command that fails:
"C:\Program Files\Some App\Update\gpg\gpg2.exe" --list-public-keys --with-colons --homedir "C:\Program Files\Some App\Update" XXXXXXXX
The home directory I specified with ?homedir exists and the System user has full access to that directory and its contents.
I added gpg2.exe to windows 2008's data execution prevention (DEP) exception list.
At this point I am out of ideas. Other binaries uses by the script (wget, 7zip) work just fine, even when run as System user.
gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0)
libgcrypt 1.4.6
Thoughts?
Regards,
Johannes Scholz
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From wk at gnupg.org Wed Jan 23 19:33:53 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 23 Jan 2013 19:33:53 +0100
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To:
(Akinola Okunlola's message of "Tue, 22 Jan 2013 20:59:35 -0500")
References:
Message-ID: <87zjzzn3zi.fsf@vigenere.g10code.de>
On Wed, 23 Jan 2013 02:59, aokunlola at gmail.com said:
> We have 64-bit servers and I was wondering if there is a Patch to apply to
> gpg so it could run successfully on 64 bit.
GnuPG definitely runs on 64 bit boxes. There is only a glitch for
big-endian boxes. If nobody complains I plan to do a 1.4.15 soon.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From david at systemoverlord.com Wed Jan 23 19:39:30 2013
From: david at systemoverlord.com (David Tomaschik)
Date: Wed, 23 Jan 2013 10:39:30 -0800
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To:
References:
Message-ID:
I regularly use GnuPG on 64 bit servers with no patches or changes. What
OS is on your servers? What version of GPG are you running?
On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola wrote:
> Hi fellow gnupg-users,
>
> I am new to gpg arena though I have used PGP in the past.
> We have 64-bit servers and I was wondering if there is a Patch to apply to
> gpg so it could run successfully on 64 bit.
> Please let me know.
> Currently, my command line scripts does not run when automated but I can
> run them manually.
>
> Please help.
>
> AO
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
--
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From aokunlola at gmail.com Thu Jan 24 05:47:58 2013
From: aokunlola at gmail.com (Akinola Okunlola)
Date: Wed, 23 Jan 2013 23:47:58 -0500
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To:
References:
Message-ID:
Hi David,
OS is: Windows 2008 R2 Enterprise (64-bit). We are running Gpg4win version
2.1.0 (2011-03-15) which contains GnuPG 2.0.17.
Thanks,
-Akin
On Wednesday, January 23, 2013, David Tomaschik wrote:
> I regularly use GnuPG on 64 bit servers with no patches or changes. What
> OS is on your servers? What version of GPG are you running?
>
>
> On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola
> > wrote:
>
>> Hi fellow gnupg-users,
>>
>> I am new to gpg arena though I have used PGP in the past.
>> We have 64-bit servers and I was wondering if there is a Patch to apply
>> to gpg so it could run successfully on 64 bit.
>> Please let me know.
>> Currently, my command line scripts does not run when automated but I can
>> run them manually.
>>
>> Please help.
>>
>> AO
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org > 'Gnupg-users at gnupg.org');>
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com 'david at systemoverlord.com');>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From js at vinci-info.com Thu Jan 24 08:55:29 2013
From: js at vinci-info.com (Johannes Scholz)
Date: Thu, 24 Jan 2013 08:55:29 +0100
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To:
Message-ID:
By "does not run when automated" you mean it does not run when you run it from the task scheduler? If so, maybe you are having the same issue that I seem to have (2008 AMD64) http://lists.gnupg.org/pipermail/gnupg-users/2013-January/045960.html
+ Johannes Scholz
+ js at vinci-info.com
From: Akinola Okunlola >
Date: Donnerstag, 24. Januar 2013 05:47
To: David Tomaschik >
Cc: GnuPG Users List >
Subject: Re: Patch for using GPG on 64 bit Matching
Hi David,
OS is: Windows 2008 R2 Enterprise (64-bit). We are running Gpg4win version 2.1.0 (2011-03-15) which contains GnuPG 2.0.17.
Thanks,
-Akin
On Wednesday, January 23, 2013, David Tomaschik wrote:
I regularly use GnuPG on 64 bit servers with no patches or changes. What OS is on your servers? What version of GPG are you running?
On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola > wrote:
Hi fellow gnupg-users,
I am new to gpg arena though I have used PGP in the past.
We have 64-bit servers and I was wondering if there is a Patch to apply to gpg so it could run successfully on 64 bit.
Please let me know.
Currently, my command line scripts does not run when automated but I can run them manually.
Please help.
AO
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From johanw at vulcan.xs4all.nl Thu Jan 24 13:05:58 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Thu, 24 Jan 2013 13:05:58 +0100
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To: <87zjzzn3zi.fsf@vigenere.g10code.de>
References:
<87zjzzn3zi.fsf@vigenere.g10code.de>
Message-ID: <510123A6.10204@vulcan.xs4all.nl>
On 23-01-2013 19:33, Werner Koch wrote:
> GnuPG definitely runs on 64 bit boxes. There is only a glitch for
> big-endian boxes. If nobody complains I plan to do a 1.4.15 soon.
Did I miss 1.4.14?
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From aokunlola at gmail.com Thu Jan 24 16:36:37 2013
From: aokunlola at gmail.com (Akinola Okunlola)
Date: Thu, 24 Jan 2013 10:36:37 -0500
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To:
References:
Message-ID:
I agreed with you David, these are very similar issues. I am exploring the
possibility of using Rational robot to run the script.
On Thu, Jan 24, 2013 at 2:55 AM, Johannes Scholz wrote:
> By "does not run when automated" you mean it does not run when you run it
> from the task scheduler? If so, maybe you are having the same issue that I
> seem to have (2008 AMD64)
> http://lists.gnupg.org/pipermail/gnupg-users/2013-January/045960.html
>
> + Johannes Scholz
> + js at vinci-info.com
>
> From: Akinola Okunlola
> Date: Donnerstag, 24. Januar 2013 05:47
> To: David Tomaschik
> Cc: GnuPG Users List
> Subject: Re: Patch for using GPG on 64 bit Matching
>
> Hi David,
>
> OS is: Windows 2008 R2 Enterprise (64-bit). We are running Gpg4win version
> 2.1.0 (2011-03-15) which contains GnuPG 2.0.17.
>
> Thanks,
>
> -Akin
>
> On Wednesday, January 23, 2013, David Tomaschik wrote:
>
>> I regularly use GnuPG on 64 bit servers with no patches or changes. What
>> OS is on your servers? What version of GPG are you running?
>>
>>
>> On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola wrote:
>>
>>> Hi fellow gnupg-users,
>>>
>>> I am new to gpg arena though I have used PGP in the past.
>>> We have 64-bit servers and I was wondering if there is a Patch to apply
>>> to gpg so it could run successfully on 64 bit.
>>> Please let me know.
>>> Currently, my command line scripts does not run when automated but I can
>>> run them manually.
>>>
>>> Please help.
>>>
>>> AO
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users at gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>>>
>>
>>
>> --
>> David Tomaschik
>> OpenPGP: 0x5DEA789B
>> http://systemoverlord.com
>> david at systemoverlord.com
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From wk at gnupg.org Fri Jan 25 09:51:03 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 25 Jan 2013 09:51:03 +0100
Subject: Patch for using GPG on 64 bit Matching
In-Reply-To: <510123A6.10204@vulcan.xs4all.nl> (Johan Wevers's message of
"Thu, 24 Jan 2013 13:05:58 +0100")
References:
<87zjzzn3zi.fsf@vigenere.g10code.de> <510123A6.10204@vulcan.xs4all.nl>
Message-ID: <87txq5lk7c.fsf@vigenere.g10code.de>
On Thu, 24 Jan 2013 13:05, johanw at vulcan.xs4all.nl said:
> Did I miss 1.4.14?
You are right, the next version will be 1.4.14.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From wuttkej at gmail.com Fri Jan 25 12:16:47 2013
From: wuttkej at gmail.com (Jochen Wuttke)
Date: Fri, 25 Jan 2013 12:16:47 +0100
Subject: No rule to make target `audit-events.h', needed by `all'
Message-ID:
Hi all,
I just tried to compile gpg 2.0.19 on Mac OSX. After resolving an odd issue
with libiconv, I got a little further, but get the following make error:
Making all in common
make[2]: *** No rule to make target `audit-events.h', needed by `all'.
Stop.
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
I found this question asked as far back as 2010 on various forums an user
groups, but I could never find an answer to what causes this and how to
resolve it.
Any hints?
Thanks,
Jochen
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mlisten at hammernoch.net Fri Jan 25 20:21:38 2013
From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=)
Date: Fri, 25 Jan 2013 20:21:38 +0100
Subject: No rule to make target `audit-events.h', needed by `all'
In-Reply-To:
References:
Message-ID: <5102DB42.2020607@hammernoch.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
On 25.01.13 12:16, Jochen Wuttke wrote:
> I found this question asked as far back as 2010 on various forums
> an user groups, but I could never find an answer to what causes
> this and how to resolve it. Any hints?
You may want to look into buildscripts and patches used by the
gpgtools project. The dev-tree builds fine here.
https://github.com/GPGTools/MacGPG2/tree/dev
Ludwig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBCgAGBQJRAttCAAoJEA52XAUJWdLjNX8H/RSH4pxJbOsV1Wbbdd48XGwH
UNnNbD0Et1DS3BCuhRKzshnwZrvPideLhvoUEiRt5Wz3FrSNd7zNoML9cO+08KcQ
+iiuYzmP2HkF18jr/VOYyR5ZqTJn056GmsnOlkZmrko/ssEy+HlgTD4EPV/6z6OG
xg8iK+PHOm7MC42SHEqA8iKbpPWLxLdtEF2Qrt0OXHQ/dl3gm/zQd1hBee2NZOHM
lQ+GjYsotuwfeF7cUeccXRi9dDuor1Fsdr+OzQY1ZKtEdF12aTwkyZTq5ePM6LNs
29q80zc4iJfjJQpRoFSa3Kjm767f5i2laxjyQRHc88u+5AL9uR2mkBU2/qbEr7Y=
=UKwY
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Mon Jan 28 06:56:25 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 28 Jan 2013 00:56:25 -0500
Subject: Fedora 18: still broken for OpenPGP cards
Message-ID: <51061309.6020604@sixdemonbag.org>
My prior bug report detailing Fedora 17's problems with OpenPGP cards is
still current for Fedora 18. Would it be possible for one of the GnuPG
maintainers to shake the tree of the gnupg2-smime maintainer (the RPM
just lists the Fedora Project as the maintainer) and ask why in God's
name they insist on releasing a gnupg2-smime package that does not work,
clearly hasn't been checked against the most common smartcard hardware
in use for GnuPG, and which has been broken for two major releases?
The original thread, BTW:
http://www.gossamer-threads.com/lists/gnupg/users/58041
From rjh at sixdemonbag.org Mon Jan 28 07:07:48 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 28 Jan 2013 01:07:48 -0500
Subject: Fedora 18: still broken for OpenPGP cards
In-Reply-To: <51061309.6020604@sixdemonbag.org>
References: <51061309.6020604@sixdemonbag.org>
Message-ID: <510615B4.60206@sixdemonbag.org>
On 01/28/2013 12:56 AM, Robert J. Hansen wrote:
> My prior bug report detailing Fedora 17's problems with OpenPGP cards is
> still current for Fedora 18.
Addendum: GnuPG 1.4.13 works fine with smart cards. It's only GnuPG
2.0.19 that's screwed up.
[rjh at localhost ~]$ gpg --version
gpg (GnuPG) 1.4.13
... snip ...
[rjh at localhost ~]$ gpg2 --version
gpg (GnuPG) 2.0.19
libgcrypt 1.5.0
... snip ...
[rjh at localhost ~]$ gpg2 --card-status
gpg: selecting openpgp failed: Unsupported certificate
gpg: OpenPGP card not available: Unsupported certificate
[rjh at localhost ~]$ gpg --card-status
gpg: detected reader `SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00'
Application ID ...: D276000124010200000500000D180000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000D18
Name of cardholder: Robert Hansen
... snip...
From vedaal at nym.hush.com Tue Jan 29 18:49:10 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 29 Jan 2013 12:49:10 -0500
Subject: RSA // OAEP // SHA-1
Message-ID: <20130129174910.81CD710E2C8@smtp.hushmail.com>
As the padding scheme in RSA, (OAEP) uses SHA-1, then , *eventually*, as people move away from using SHA-1, and toward a V5 key where SHA-1 is not used,
will it also be necessary to re-do the RSA padding to not use SHA-1, and if so, would this fall under the open-pgp RFC, or would it have to go through an RSA standard first?
just curious,
vedaal
From JPClizbe at tx.rr.com Wed Jan 30 01:36:25 2013
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Tue, 29 Jan 2013 18:36:25 -0600
Subject: RSA // OAEP // SHA-1
In-Reply-To: <20130129174910.81CD710E2C8@smtp.hushmail.com>
References: <20130129174910.81CD710E2C8@smtp.hushmail.com>
Message-ID: <51086B09.1090803@tx.rr.com>
vedaal at nym.hush.com wrote:
> As the padding scheme in RSA, (OAEP) uses SHA-1, then , *eventually*, as
> people move away from using SHA-1, and toward a V5 key where SHA-1 is not used,
> will it also be necessary to re-do the RSA padding to not use SHA-1, and
> if so, would this fall under the open-pgp RFC, or would it have to go through an
> RSA standard first?
This is probably more on topic for the IETF-OpenPGP list, but anyway...
RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for details of
RSA implementation.
So, from what I can tell, RSA standard first, then OpenPGP by incorporating
the new RSA standard. THEN, Gnupg.
[RFC4880] J. Callas, L. Donnerhacke, H. Finney, D. Shaw, R. Thayer.
"OpenPGP Message Format", RFC 4880, November 2007.
https://tools.ietf.org/html/rfc4880
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards
(PKCS) #1: RSA Cryptography Specifications Version 2.1",
RFC 3447, February 2003. https://tools.ietf.org/html/rfc3447
--
John P. Clizbe Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 863 bytes
Desc: OpenPGP digital signature
URL:
From lists at michel-messerschmidt.de Wed Jan 30 20:40:25 2013
From: lists at michel-messerschmidt.de (Michel Messerschmidt)
Date: Wed, 30 Jan 2013 20:40:25 +0100
Subject: RSA // OAEP // SHA-1
In-Reply-To: <51086B09.1090803@tx.rr.com>
References: <20130129174910.81CD710E2C8@smtp.hushmail.com>
<51086B09.1090803@tx.rr.com>
Message-ID: <20130130194025.GA5039@ryu.matrix>
On Tue, Jan 29, 2013 at 06:36:25PM -0600, John Clizbe wrote:
> vedaal at nym.hush.com wrote:
> > if so, would this fall under the open-pgp RFC, or would it have to go through an
> > RSA standard first?
>
> RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for details of
> RSA implementation.
>
> So, from what I can tell, RSA standard first, then OpenPGP by incorporating
> the new RSA standard. THEN, Gnupg.
Although it is the default, RFC 3447 is not restricted to SHA-1.
Appendix B actually states:
"For the RSAES-OAEP encryption scheme and EMSA-PSS encoding method,
only SHA-1 and SHA-256/384/512 are recommended."
From vedaal at nym.hush.com Wed Jan 30 21:50:14 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Wed, 30 Jan 2013 15:50:14 -0500
Subject: RSA // OAEP // SHA-1
In-Reply-To: <20130130194025.GA5039@ryu.matrix>
References: <20130129174910.81CD710E2C8@smtp.hushmail.com>
<51086B09.1090803@tx.rr.com> <20130130194025.GA5039@ryu.matrix>
Message-ID: <20130130205014.A968E6F443@smtp.hushmail.com>
On Wednesday, January 30, 2013 at 3:28 PM, "Michel Messerschmidt" wrote:
>
>Although it is the default, RFC 3447 is not restricted to SHA-1.
>Appendix B actually states:
>"For the RSAES-OAEP encryption scheme and EMSA-PSS encoding
>method,
>only SHA-1 and SHA-256/384/512 are recommended."
Which would mean that GnuPG wouldn't need any overhaul of standards to move from a default of SHA-1 to SHA-256,
(although it might involve making changes to the crypto library that GnuPG uses for RSA).
After thinking about it some more, though, it doesn't seem like much of a threat to continue SHA-1,
(or at least, less important for GnuPG to concern itself, than with the SHA-1 involved in the fingerprint.)
GnuPg uses RSA padding only to encrypt and decrypt the random session key.
All other encryption is done by symmetric algorithms and doesn't involve RSA and its padding.
As the session key is random, it isn't vulnerable to a plain-text attack, and might not need any padding at all,
and so, the hash function used for the padding isn't such an issue...
Sorry to take up the time needlessly.
vedaal
From avi.wiki at gmail.com Wed Jan 30 21:35:03 2013
From: avi.wiki at gmail.com (Avi)
Date: Wed, 30 Jan 2013 15:35:03 -0500
Subject: RSA // OAEP // SHA-1
In-Reply-To: <20130130194025.GA5039@ryu.matrix>
References: <20130129174910.81CD710E2C8@smtp.hushmail.com>
<51086B09.1090803@tx.rr.com> <20130130194025.GA5039@ryu.matrix>
Message-ID:
Would it make sense to amend that to add SHA-3?
--Avi
On 1/30/13, Michel Messerschmidt wrote:
> On Tue, Jan 29, 2013 at 06:36:25PM -0600, John Clizbe wrote:
>> vedaal at nym.hush.com wrote:
>> > if so, would this fall under the open-pgp RFC, or would it have to go
>> > through an
>> > RSA standard first?
>>
>> RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for
>> details of
>> RSA implementation.
>>
>> So, from what I can tell, RSA standard first, then OpenPGP by
>> incorporating
>> the new RSA standard. THEN, Gnupg.
>
> Although it is the default, RFC 3447 is not restricted to SHA-1.
> Appendix B actually states:
> "For the RSAES-OAEP encryption scheme and EMSA-PSS encoding method,
> only SHA-1 and SHA-256/384/512 are recommended."
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
Sent from my mobile device
----
User:Avraham
pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key)
Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E
29F9
From jw72253 at verizon.net Thu Jan 31 19:10:07 2013
From: jw72253 at verizon.net (John A. Wallace)
Date: Thu, 31 Jan 2013 12:10:07 -0600
Subject: using gpg with http proxy
Message-ID: <000501cdffde$33f06eb0$9bd14c10$@net>
When I looked here: http://www.gnupg.org/documentation/manpage.en.html, I
see it mentioned that the option "--honor-http-proxy" is available and would
work if there is an environment variable setting for "http_proxy". Would
this work in Windows, and would it simply be ignored if no environment
variable were set ahead of time? Finally, in general can an option like this
be put either in an options file or in "gpg.conf"? Thanks.
John A. Wallace
The pen is mightier than the sword, but only if you get in the first stroke.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jw72253 at verizon.net Thu Jan 31 18:24:19 2013
From: jw72253 at verizon.net (John A. Wallace)
Date: Thu, 31 Jan 2013 11:24:19 -0600
Subject: path defaults for gpg.conf
Message-ID: <000001cdffd7$cdb20560$69161020$@net>
I have two instances of GnuPG installed on a Windows 7 OS. I also use an
application that appears to have installed an instance of it for its own use
and put it into one of its separate folders along with some of the files
needed with it, including "gpg.exe" and a unique "gpg.conf" file, among
others. However, when I go to that folder, in which this third instance of
gpg was placed, with a command prompt in Windows and type ".\gpg.exe -h",
the initial output from this command includes these lines:
Home: %APPDATA%/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
What puzzles me is the line with "Home". I have two questions about it.
First, where is it getting that environment variable(?) called "Home" since
I do not show it listed among the environment variables I can see in Windows
when I issue the "set" command to show me all of them? Secondly, why does
"Home" point to the path it does instead of pointing to the current
directory path for which I issued the command ".\gpg.exe -h". If there is a
unique "gpg.conf" in this folder designed to work with this third instance
of "gpg.exe", shouldn't "Home" also be this current directory? Otherwise, it
would not see the commands and options I included in its special "gpg.conf".
Is that not so? Thanks.
John A. Wallace
The pen is mightier than the sword, but only if you get in the first stroke.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From per.hopstadius at logica.com Thu Jan 31 14:29:50 2013
From: per.hopstadius at logica.com (perhop)
Date: Thu, 31 Jan 2013 05:29:50 -0800 (PST)
Subject: gpg: WARNING: message was not integrity protected - MDC
Message-ID: <1359638990136-29533.post@n7.nabble.com>
Hi
This has been discussed before and I have an question referring to this.
Short summary:
A customer encrypts data with our public key, we receive the file and we
attempt to decrypt it. The decrypt step seems to work but we get a warning
message while validating the file (gpg: WARNING: message was not integrity
protected). The question is how to avoid the warning message.
After reading the forum I believe this has to do with mdc, that mdc is not
forced in this case and that is causing the warning message.
I would like to know how you enable mdc. Do I tell the customer to force mdc
or is that controlled from my side, automatic controlled depending on what
cipher method I use?
We run GPG version 1.4.9 and customer PGP 7.1
Please advice a noob
Regards,
Dan
--
View this message in context: http://gnupg.10057.n7.nabble.com/gpg-WARNING-message-was-not-integrity-protected-MDC-tp29533.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From vivarto at gmail.com Thu Jan 31 18:26:38 2013
From: vivarto at gmail.com (Veet Vivarto)
Date: Thu, 31 Jan 2013 07:26:38 -1000
Subject: 1.4.12 beta installer for Windows
In-Reply-To: <87y5syd8ah.fsf@vigenere.g10code.de>
References: <87y5syd8ah.fsf@vigenere.g10code.de>
Message-ID:
Hello Werner,
My friend and I, aer working on a easy to use front-end for GPG for Windows
and Mac.
On Windews we are using the 1.4.11 because it only requires two files
(.exe, .dll)
I have not been able to find a small Mac command line program that would
correspond to GnuPG 1.4.
I only found the huge package called GPGTools.
Thank you in advance for your help.
Vivarto
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From dshaw at jabberwocky.com Thu Jan 31 21:41:06 2013
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 31 Jan 2013 15:41:06 -0500
Subject: gpg: WARNING: message was not integrity protected - MDC
In-Reply-To: <1359638990136-29533.post@n7.nabble.com>
References: <1359638990136-29533.post@n7.nabble.com>
Message-ID:
On Jan 31, 2013, at 8:29 AM, perhop wrote:
> Hi
>
> This has been discussed before and I have an question referring to this.
> Short summary:
>
> A customer encrypts data with our public key, we receive the file and we
> attempt to decrypt it. The decrypt step seems to work but we get a warning
> message while validating the file (gpg: WARNING: message was not integrity
> protected). The question is how to avoid the warning message.
>
> After reading the forum I believe this has to do with mdc, that mdc is not
> forced in this case and that is causing the warning message.
>
> I would like to know how you enable mdc. Do I tell the customer to force mdc
> or is that controlled from my side, automatic controlled depending on what
> cipher method I use?
> We run GPG version 1.4.9 and customer PGP 7.1
Note that the message you see is just a warning. It does not affect decryption - it's just telling you that the sender didn't protect the message.
There are several ways to enable MDC. The most common way is a flag on your key that instructs the customer's PGP to enable MDC (i.e. "I can handle MDC, so you're free to use it"). So the first thing you should do is check your key to see if it has the MDC flag on it. To do this, run:
gpg --edit-key (yourkey)
and enter "showpref" at the prompt. The final line is "Features". If "MDC" is on that line, then you have the MDC flag, and anyone communicating with you should use a MDC if they support it. That said, I see that your customer is using PGP 7.1, which is incredibly old at this point. I don't recall offhand if it supports MDC or not (I have a vague recollection that PGP only started supporting it in PGP 8 - which is itself very old at this point).
If your key has the MDC flag, then the problem is most likely that the customer's PGP doesn't support MDC. Since you probably can't upgrade the customer, you can use the --no-mdc-warning on your side. This doesn't change the fact that the message you got isn't protected, but does prevent the warning from being printed.
David